Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bWrRSlOThY.exe

Overview

General Information

Sample name:bWrRSlOThY.exe
renamed because original name is a hash value
Original sample name:a2ce48432527c70571d0851c190dbc10.exe
Analysis ID:1523423
MD5:a2ce48432527c70571d0851c190dbc10
SHA1:77be1e6207462d2826faf1207960e01a26e30173
SHA256:0b35e26564684a04734c5e5e2b83957ef5138a945109c6afed27dd3b07d1a370
Tags:AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT, Neshta
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected Neshta
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Classes Autorun Keys Modification
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Use NTFS Short Name in Command Line
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • bWrRSlOThY.exe (PID: 3884 cmdline: "C:\Users\user\Desktop\bWrRSlOThY.exe" MD5: A2CE48432527C70571D0851C190DBC10)
    • bWrRSlOThY.exe (PID: 5332 cmdline: "C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe" MD5: 31DFB639DA08EFDBE7FF7E289C199ECE)
      • bWrRSlOThY.exe (PID: 5100 cmdline: "C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe" MD5: 31DFB639DA08EFDBE7FF7E289C199ECE)
      • cmd.exe (PID: 5048 cmdline: "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 64 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2308 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 3636 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
      • cmd.exe (PID: 3504 cmdline: "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • RemoteDestopManagerx86.exe (PID: 3384 cmdline: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe MD5: A2CE48432527C70571D0851C190DBC10)
    • svchost.com (PID: 3492 cmdline: "C:\Windows\svchost.com" "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE" MD5: 0D5E5847E431EF73C3DF72461943B8BF)
      • RemoteDestopManagerx86.exe (PID: 2308 cmdline: C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE MD5: 31DFB639DA08EFDBE7FF7E289C199ECE)
        • RemoteDestopManagerx86.exe (PID: 5332 cmdline: "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE" MD5: 31DFB639DA08EFDBE7FF7E289C199ECE)
        • cmd.exe (PID: 5716 cmdline: "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 4596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 5608 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • schtasks.exe (PID: 3048 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
        • cmd.exe (PID: 2168 cmdline: "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • RemoteDestopManagerx86.exe (PID: 340 cmdline: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe MD5: 31DFB639DA08EFDBE7FF7E289C199ECE)
    • RemoteDestopManagerx86.exe (PID: 6476 cmdline: "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" MD5: 31DFB639DA08EFDBE7FF7E289C199ECE)
    • cmd.exe (PID: 6776 cmdline: "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7072 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 4152 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 6748 cmdline: "cmd.exe" /C copy "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • RemoteDestopManagerx86.exe (PID: 2896 cmdline: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe MD5: 31DFB639DA08EFDBE7FF7E289C199ECE)
    • RemoteDestopManagerx86.exe (PID: 760 cmdline: "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" MD5: 31DFB639DA08EFDBE7FF7E289C199ECE)
    • cmd.exe (PID: 2016 cmdline: "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5076 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7136 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 5536 cmdline: "cmd.exe" /C copy "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • RemoteDestopManagerx86.exe (PID: 5788 cmdline: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe MD5: 31DFB639DA08EFDBE7FF7E289C199ECE)
    • RemoteDestopManagerx86.exe (PID: 1524 cmdline: "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" MD5: 31DFB639DA08EFDBE7FF7E289C199ECE)
    • cmd.exe (PID: 2036 cmdline: "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3320 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5192 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 1008 cmdline: "cmd.exe" /C copy "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
neshtaNeshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.neshta

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "enero2022async.duckdns.org", "Ports": "7784", "Version": "| CRACKED BY https://t.me/xworm_v2", "Autorun": "false", "Install_Folder": "bXlnRHNDMm05QXFYVjl0Z2M2b1NvM3VYaHp3Mm1xTUc=", "Install_File": "oLVxEDVrjE41kF/Kv+UXdwzOxnPhrDyl7zZuamLIkan+gMvMd9L5Cmkhy48fYY9PCZCrBfFBHjgQBRrlMTFWcQtW2lu0tPlxsBiOzpT9K94=", "AES_key": "mygDsC2m9AqXV9tgc6oSo3uXhzw2mqMG", "Mutex": "amTy146W6guOfvG1XllaJgoBCa/ZpNlv8iG+9r4zNroBkUbnh3u6MIxFYQSPyQ7thYDAdBqNpoDd5vWTmWG0X7s7yjPGI5zf9kpN882RuFtmsPE98HAHYMdRFAVHYeh5cMcvXBWk1zG/Bg8D66HtZkmsJtzyaaA9J6CYQkX7QtJf+URJeOUSH1D2DYDRxMY87gbKP0+b/jvvC1Na76G97gsXsxrz5/oXC+3DQHZyfwoGFB+dFxVduNfWyXTP4SccLD9LzaogUTInFnuCJ3CvPYOm3irlgNL9OpnvS0TLOeezr79cm0WhnSRtaNzVIWmOd7vRLvi6kN9RFMtB1/Ax5CGupwwbg02ixtUunL0O6IybwMGdnMYQgt9TFQw8Z2gfGgNWMo2OFBrWk9irTuuHNCRWJHERvFEZZSkiivtcjtIYGS2tfoyU8SF5SHw3uxCp1/yHCOawSHN1B8wRmV73YDmJY/eZn6BD3ofEdmm77OzBW3cDPW1vQy1QvnigWM2Gr8gjU2Emc/3NhizuTSUuvhpFnqO8kmQudKHlYXcra4nocdozRMcYqfjeqHh/bCmj5+GZvLW3wehSufhc4Mu7jFx242S4V8+RwR1rjZvjwaPl0zJvnSMnkYEIDXBVed6Fovd2/s7xqyzvnLhnI/KZU6r+Ts1dRHLydErUvEOLa3A=", "Certificate": "false", "ServerSignature": "true", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
bWrRSlOThY.exeJoeSecurity_NeshtaYara detected NeshtaJoe Security
    bWrRSlOThY.exeMALWARE_Win_NeshtaDetects NeshtaditekSHen
    • 0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus.
    • 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x423d:$x1: AsyncRAT
    • 0x427b:$x1: AsyncRAT

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJoeSecurity_NeshtaYara detected NeshtaJoe Security
      C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEMALWARE_Win_NeshtaDetects NeshtaditekSHen
      • 0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus.
      • 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
      C:\Program Files (x86)\AutoIt3\Uninstall.exeJoeSecurity_NeshtaYara detected NeshtaJoe Security
        C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJoeSecurity_NeshtaYara detected NeshtaJoe Security
          C:\Program Files (x86)\AutoIt3\Uninstall.exeMALWARE_Win_NeshtaDetects NeshtaditekSHen
          • 0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus.
          • 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
          Click to see the 343 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          0000001E.00000002.3408804926.0000000004CC8000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xc653:$x1: AsyncRAT
          • 0xc691:$x1: AsyncRAT
          00000003.00000002.4617709059.000000000120E000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xfe2f:$x1: AsyncRAT
          • 0xfe6d:$x1: AsyncRAT
          00000013.00000002.2815936645.0000000004DF8000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xd7eb:$x1: AsyncRAT
          • 0xd829:$x1: AsyncRAT
          00000013.00000002.2813685167.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            00000013.00000002.2813685167.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
            • 0xcf60:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
            • 0x10238:$a2: Stub.exe
            • 0x102c8:$a2: Stub.exe
            • 0x9773:$a3: get_ActivatePong
            • 0xd178:$a4: vmware
            • 0xcff0:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
            • 0xa6d9:$a6: get_SslClient
            Click to see the 35 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            18.2.RemoteDestopManagerx86.exe.2997de0.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              18.2.RemoteDestopManagerx86.exe.2997de0.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
              • 0xb360:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
              • 0xe238:$a2: Stub.exe
              • 0xe2c8:$a2: Stub.exe
              • 0x7b73:$a3: get_ActivatePong
              • 0xb578:$a4: vmware
              • 0xb3f0:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
              • 0x8ad9:$a6: get_SslClient
              18.2.RemoteDestopManagerx86.exe.2997de0.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
              • 0xb3f2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
              0.0.bWrRSlOThY.exe.400000.0.unpackJoeSecurity_NeshtaYara detected NeshtaJoe Security
                0.0.bWrRSlOThY.exe.400000.0.unpackMALWARE_Win_NeshtaDetects NeshtaditekSHen
                • 0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus.
                • 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
                Click to see the 43 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Classes Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\svchost.com "%1" %*, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\bWrRSlOThY.exe, ProcessId: 3884, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f, CommandLine: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2308, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f, ProcessId: 3636, ProcessName: schtasks.exe
                Sigma detected: Use NTFS Short Name in Command Line
                Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\svchost.com" "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE" , CommandLine: "C:\Windows\svchost.com" "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE" , CommandLine|base64offset|contains: , Image: C:\Windows\svchost.com, NewProcessName: C:\Windows\svchost.com, OriginalFileName: C:\Windows\svchost.com, ParentCommandLine: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe, ParentImage: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe, ParentProcessId: 3384, ParentProcessName: RemoteDestopManagerx86.exe, ProcessCommandLine: "C:\Windows\svchost.com" "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE" , ProcessId: 3492, ProcessName: svchost.com
                Sigma detected: Local Accounts Discovery
                Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86", CommandLine: "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe, ParentProcessId: 5332, ParentProcessName: bWrRSlOThY.exe, ProcessCommandLine: "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86", ProcessId: 5048, ProcessName: cmd.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T15:47:18.825947+020020355951Domain Observed Used for C2 Detected172.94.108.1437784192.168.2.649712TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T15:47:18.825947+020020356071Domain Observed Used for C2 Detected172.94.108.1437784192.168.2.649712TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T15:47:18.825947+020028424781Malware Command and Control Activity Detected172.94.108.1437784192.168.2.649712TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: bWrRSlOThY.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeAvira: detection malicious, Label: W32/Neshta.A
                Found malware configuration
                Source: 00000002.00000002.2164810535.00000000032C2000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "enero2022async.duckdns.org", "Ports": "7784", "Version": "| CRACKED BY https://t.me/xworm_v2", "Autorun": "false", "Install_Folder": "bXlnRHNDMm05QXFYVjl0Z2M2b1NvM3VYaHp3Mm1xTUc=", "Install_File": "oLVxEDVrjE41kF/Kv+UXdwzOxnPhrDyl7zZuamLIkan+gMvMd9L5Cmkhy48fYY9PCZCrBfFBHjgQBRrlMTFWcQtW2lu0tPlxsBiOzpT9K94=", "AES_key": "mygDsC2m9AqXV9tgc6oSo3uXhzw2mqMG", "Mutex": "amTy146W6guOfvG1XllaJgoBCa/ZpNlv8iG+9r4zNroBkUbnh3u6MIxFYQSPyQ7thYDAdBqNpoDd5vWTmWG0X7s7yjPGI5zf9kpN882RuFtmsPE98HAHYMdRFAVHYeh5cMcvXBWk1zG/Bg8D66HtZkmsJtzyaaA9J6CYQkX7QtJf+URJeOUSH1D2DYDRxMY87gbKP0+b/jvvC1Na76G97gsXsxrz5/oXC+3DQHZyfwoGFB+dFxVduNfWyXTP4SccLD9LzaogUTInFnuCJ3CvPYOm3irlgNL9OpnvS0TLOeezr79cm0WhnSRtaNzVIWmOd7vRLvi6kN9RFMtB1/Ax5CGupwwbg02ixtUunL0O6IybwMGdnMYQgt9TFQw8Z2gfGgNWMo2OFBrWk9irTuuHNCRWJHERvFEZZSkiivtcjtIYGS2tfoyU8SF5SHw3uxCp1/yHCOawSHN1B8wRmV73YDmJY/eZn6BD3ofEdmm77OzBW3cDPW1vQy1QvnigWM2Gr8gjU2Emc/3NhizuTSUuvhpFnqO8kmQudKHlYXcra4nocdozRMcYqfjeqHh/bCmj5+GZvLW3wehSufhc4Mu7jFx242S4V8+RwR1rjZvjwaPl0zJvnSMnkYEIDXBVed6Fovd2/s7xqyzvnLhnI/KZU6r+Ts1dRHLydErUvEOLa3A=", "Certificate": "false", "ServerSignature": "true", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}
                Multi AV Scanner detection for dropped file
                Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeReversingLabs: Detection: 97%
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeReversingLabs: Detection: 97%
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEReversingLabs: Detection: 100%
                Multi AV Scanner detection for submitted file
                Source: bWrRSlOThY.exeReversingLabs: Detection: 100%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
                Machine Learning detection for dropped file
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: bWrRSlOThY.exeJoe Sandbox ML: detected
                Source: bWrRSlOThY.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe0.0.dr, cookie_exporter.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
                Source: Binary string: mpextms.pdb source: mpextms.exe0.0.dr
                Source: Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdbOGP source: setup.exe0.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
                Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.0.dr
                Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb# source: aimgr.exe0.0.dr
                Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoev.exe.0.dr
                Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
                Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb source: OLicenseHeartbeat.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
                Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.0.dr
                Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
                Source: Binary string: r.pdb source: AppSharingHookController.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedgewebview2.exe.pdb source: msedgewebview2.exe0.0.dr
                Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
                Source: Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
                Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb source: aimgr.exe0.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe0.0.dr, cookie_exporter.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedgewebview2.exe.pdbOGP source: msedgewebview2.exe0.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdb source: setup.exe0.0.dr
                Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.0.dr
                Source: Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr, MpCmdRun.exe2.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
                Source: Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb source: msoev.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OLicenseHeartbeat.exe.0.dr
                Source: Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr, MpCmdRun.exe2.0.dr
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.0.dr
                Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
                Source: Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.0.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.0.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.0.dr
                Source: Binary string: lper.pdb source: SDXHelper.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
                Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
                Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdb source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
                Source: Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
                Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.0.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
                Source: Binary string: mpextms.pdbGCTL source: mpextms.exe0.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr

                Spreading

                barindex
                Yara detected Neshta
                Source: Yara matchFile source: bWrRSlOThY.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.bWrRSlOThY.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2592455877.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: bWrRSlOThY.exe PID: 3884, type: MEMORYSTR
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
                Infects executable files (exe, dll, sys, html)
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\Jump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Jump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Jump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\Jump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\Jump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Jump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 172.94.108.143:7784 -> 192.168.2.6:49712
                Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 172.94.108.143:7784 -> 192.168.2.6:49712
                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 172.94.108.143:7784 -> 192.168.2.6:49712
                Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 172.94.108.143:7784 -> 192.168.2.6:49712
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: enero2022async.duckdns.org
                Uses dynamic DNS services
                Source: unknownDNS query: name: enero2022async.duckdns.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32d867c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.RemoteDestopManagerx86.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32c7dec.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.raw.unpack, type: UNPACKEDPE
                Source: Joe Sandbox ViewASN Name: M247GB M247GB
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: enero2022async.duckdns.org
                Source: integrator.exe.0.drString found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
                Source: OLicenseHeartbeat.exe.0.drString found in binary or memory: http://CodeTypeIsExpectedOffice.System.ResultGlobal
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: AdobeARMHelper.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                Source: armsvc.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                Source: bWrRSlOThY.exe, 00000003.00000002.4617709059.0000000001251000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownloa
                Source: bWrRSlOThY.exe, 00000003.00000002.4617709059.00000000011A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: bWrRSlOThY.exe, 00000003.00000002.4617709059.00000000011A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA
                Source: bWrRSlOThY.exe, 00000003.00000002.4617709059.00000000011A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enj
                Source: bWrRSlOThY.exe, 00000000.00000002.2592410270.0000000000190000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                Source: bWrRSlOThY.exe, 00000003.00000002.4619895119.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                Source: Aut2exe.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/
                Source: Aut2exe.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/8
                Source: AutoIt3_x64.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                Source: msedgewebview2.exe0.0.drString found in binary or memory: https://crashpad.chromium.org/
                Source: msedgewebview2.exe0.0.drString found in binary or memory: https://crashpad.chromium.org/bug/new
                Source: msedgewebview2.exe0.0.drString found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
                Source: msedge_pwa_launcher.exe.0.dr, msedgewebview2.exe0.0.dr, setup.exe0.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
                Source: msedge_pwa_launcher.exe.0.dr, msedgewebview2.exe0.0.dr, setup.exe0.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
                Source: OLicenseHeartbeat.exe.0.drString found in binary or memory: https://login.windows.net/commonhttps://login.windows.netDBSFetcher::CreateRequestHeader
                Source: integrator.exe.0.drString found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
                Source: integrator.exe.0.drString found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
                Source: RemoteDestopManagerx86.exe, 00000030.00000002.4611188210.000000000271C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/xworm_v2
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32c7dec.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32d867c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.RemoteDestopManagerx86.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32d867c.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32c7dec.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000013.00000002.2813685167.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2164810535.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2769868231.0000000002992000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.3361345490.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4619895119.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: bWrRSlOThY.exe PID: 5332, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: bWrRSlOThY.exe PID: 5100, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RemoteDestopManagerx86.exe PID: 2308, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RemoteDestopManagerx86.exe PID: 5332, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RemoteDestopManagerx86.exe PID: 340, type: MEMORYSTR
                Source: integrator.exe.0.drBinary or memory string: RegisterRawInputDevicesmemstr_5711b823-8

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: bWrRSlOThY.exe, type: SAMPLEMatched rule: Detects Neshta Author: ditekSHen
                Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 0.0.bWrRSlOThY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Neshta Author: ditekSHen
                Source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 2.2.bWrRSlOThY.exe.32c7dec.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 2.2.bWrRSlOThY.exe.32c7dec.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 2.2.bWrRSlOThY.exe.32d867c.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 2.2.bWrRSlOThY.exe.32d867c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 19.2.RemoteDestopManagerx86.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 19.2.RemoteDestopManagerx86.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 2.2.bWrRSlOThY.exe.32d867c.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 2.2.bWrRSlOThY.exe.32d867c.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 2.2.bWrRSlOThY.exe.32c7dec.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 2.2.bWrRSlOThY.exe.32c7dec.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 0000001E.00000002.3408804926.0000000004CC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000003.00000002.4617709059.000000000120E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000013.00000002.2815936645.0000000004DF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000013.00000002.2813685167.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 00000013.00000002.2813685167.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000002.00000002.2164810535.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 00000002.00000002.2164810535.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000030.00000002.4609082147.0000000000866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000012.00000002.2769868231.0000000002992000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 00000012.00000002.2769868231.0000000002992000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000027.00000002.4004536747.0000000000FBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000003.00000002.4617709059.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000001D.00000002.3361345490.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 0000001D.00000002.3361345490.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000003.00000002.4619895119.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000030.00000002.4611188210.000000000272F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000027.00000002.4005507938.0000000002AFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000001E.00000002.3398649421.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000013.00000002.2814476665.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: Process Memory Space: bWrRSlOThY.exe PID: 5332, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: Process Memory Space: bWrRSlOThY.exe PID: 5100, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: Process Memory Space: RemoteDestopManagerx86.exe PID: 2308, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: Process Memory Space: RemoteDestopManagerx86.exe PID: 5332, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: Process Memory Space: RemoteDestopManagerx86.exe PID: 5332, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: Process Memory Space: RemoteDestopManagerx86.exe PID: 340, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: Process Memory Space: RemoteDestopManagerx86.exe PID: 6476, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: Process Memory Space: RemoteDestopManagerx86.exe PID: 760, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: Process Memory Space: RemoteDestopManagerx86.exe PID: 1524, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Windows\svchost.com, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeCode function: 2_2_03276B60 CreateProcessAsUserA,2_2_03276B60
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Windows\svchost.comJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeCode function: 3_2_07581B103_2_07581B10
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeCode function: 18_2_00C71D6D18_2_00C71D6D
                Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\AutoIt3\Au3Check.exe 6AB1464D7BA02FA63FDDFAF5295237352F14F7AF63E443E55D3FFB68A304C304
                Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\AutoIt3\Au3Info.exe 6CF772752F25B150052F17600F5D08876E87FCAF774CE834A896688B1836BFD7
                Source: bWrRSlOThY.exe, 00000000.00000003.2147391805.0000000002064000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinHTTrack.exeT vs bWrRSlOThY.exe
                Source: bWrRSlOThY.exe, 00000002.00000002.2164810535.00000000032C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs bWrRSlOThY.exe
                Source: bWrRSlOThY.exe, 00000002.00000000.2150026533.0000000000FE2000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenameWinHTTrack.exeT vs bWrRSlOThY.exe
                Source: bWrRSlOThY.exe, 00000002.00000002.2159142153.00000000014FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs bWrRSlOThY.exe
                Source: bWrRSlOThY.exe, 00000003.00000002.4628284639.00000000057E9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs bWrRSlOThY.exe
                Source: bWrRSlOThY.exeBinary or memory string: OriginalFilenameWinHTTrack.exeT vs bWrRSlOThY.exe
                Source: bWrRSlOThY.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                Source: bWrRSlOThY.exe, type: SAMPLEMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 0.0.bWrRSlOThY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 2.2.bWrRSlOThY.exe.32c7dec.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 2.2.bWrRSlOThY.exe.32c7dec.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 2.2.bWrRSlOThY.exe.32d867c.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 2.2.bWrRSlOThY.exe.32d867c.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 19.2.RemoteDestopManagerx86.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 19.2.RemoteDestopManagerx86.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 2.2.bWrRSlOThY.exe.32d867c.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 2.2.bWrRSlOThY.exe.32d867c.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 2.2.bWrRSlOThY.exe.32c7dec.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 2.2.bWrRSlOThY.exe.32c7dec.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 0000001E.00000002.3408804926.0000000004CC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000003.00000002.4617709059.000000000120E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000013.00000002.2815936645.0000000004DF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000013.00000002.2813685167.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 00000013.00000002.2813685167.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000002.00000002.2164810535.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 00000002.00000002.2164810535.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000030.00000002.4609082147.0000000000866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000012.00000002.2769868231.0000000002992000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 00000012.00000002.2769868231.0000000002992000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000027.00000002.4004536747.0000000000FBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000003.00000002.4617709059.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000001D.00000002.3361345490.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 0000001D.00000002.3361345490.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000003.00000002.4619895119.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000030.00000002.4611188210.000000000272F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000027.00000002.4005507938.0000000002AFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000001E.00000002.3398649421.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000013.00000002.2814476665.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: Process Memory Space: bWrRSlOThY.exe PID: 5332, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: Process Memory Space: bWrRSlOThY.exe PID: 5100, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: Process Memory Space: RemoteDestopManagerx86.exe PID: 2308, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: Process Memory Space: RemoteDestopManagerx86.exe PID: 5332, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: Process Memory Space: RemoteDestopManagerx86.exe PID: 5332, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: Process Memory Space: RemoteDestopManagerx86.exe PID: 340, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: Process Memory Space: RemoteDestopManagerx86.exe PID: 6476, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: Process Memory Space: RemoteDestopManagerx86.exe PID: 760, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: Process Memory Space: RemoteDestopManagerx86.exe PID: 1524, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Windows\svchost.com, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: bWrRSlOThY.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: bWrRSlOThY.exe.0.dr, --.csCryptographic APIs: 'CreateDecryptor'
                Source: bWrRSlOThY.exe.0.dr, --.csCryptographic APIs: 'TransformFinalBlock'
                Source: bWrRSlOThY.exe.0.dr, --.csCryptographic APIs: 'TransformFinalBlock'
                Source: MpCmdRun.exe2.0.drBinary string: IdImageFileNameFirst Resource TypeTypeScan SourceFirst Resource PathuserIdResource CountReasonProcessMessagePIDStartStopDataIsSignedFile\Device\\\?\\FI_UNKNOWN\drivers\error: invalid data: System Windows path changed during the trace from "%ls" to "%ls"
                Source: msedgewebview2.exe0.0.drBinary string: @g_interceptionsntdll.dllg_originals\Device\\/?/?\\??\ntdll.dllRtlInitUnicodeStringntdll.dll\KnownDllsDeriveRestrictedAppContainerSidFromAppContainerSidAndRestrictedNameuserenvchromeInstallFileslpacChromeInstallFilesmediaFoundationCdmFileslpacMediaFoundationCdmDatalpacEdgeWdagCommslpacChromeNetworkSandboxKeyg_handles_to_close
                Source: msedgewebview2.exe0.0.drBinary string: \\.\\Device\DeviceApi\Device\DeviceApi\CMApintdll.dllHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXTHKEY_CURRENT_CONFIGHKEY_DYN_DATA\Device\\Device\HarddiskVolume
                Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@76/183@5/1
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeFile created: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86Jump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:500:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4596:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:64:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1524:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5192:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1936:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4852:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeMutant created: \Sessions\1\BaseNamedObjects\@"%&$#27543qqwyhaf
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2100:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Users\user\AppData\Local\Temp\3582-490Jump to behavior
                Source: bWrRSlOThY.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.36%
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: integrator.exe.0.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: integrator.exe.0.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: integrator.exe.0.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: integrator.exe.0.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                Source: bWrRSlOThY.exeReversingLabs: Detection: 100%
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile read: C:\Users\user\Desktop\bWrRSlOThY.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\bWrRSlOThY.exe "C:\Users\user\Desktop\bWrRSlOThY.exe"
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe "C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe"
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe "C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe"
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE"
                Source: C:\Windows\svchost.comProcess created: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exe C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exe "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe "C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe "C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /fJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /fJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE" Jump to behavior
                Source: C:\Windows\svchost.comProcess created: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exe C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exe "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE"
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\svchost.comSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe0.0.dr, cookie_exporter.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
                Source: Binary string: mpextms.pdb source: mpextms.exe0.0.dr
                Source: Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdbOGP source: setup.exe0.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
                Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.0.dr
                Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb# source: aimgr.exe0.0.dr
                Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoev.exe.0.dr
                Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
                Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb source: OLicenseHeartbeat.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
                Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.0.dr
                Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
                Source: Binary string: r.pdb source: AppSharingHookController.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedgewebview2.exe.pdb source: msedgewebview2.exe0.0.dr
                Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
                Source: Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
                Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb source: aimgr.exe0.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe0.0.dr, cookie_exporter.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedgewebview2.exe.pdbOGP source: msedgewebview2.exe0.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdb source: setup.exe0.0.dr
                Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.0.dr
                Source: Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr, MpCmdRun.exe2.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
                Source: Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb source: msoev.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OLicenseHeartbeat.exe.0.dr
                Source: Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr, MpCmdRun.exe2.0.dr
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.0.dr
                Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
                Source: Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.0.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.0.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.0.dr
                Source: Binary string: lper.pdb source: SDXHelper.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
                Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
                Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdb source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
                Source: Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
                Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.0.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
                Source: Binary string: mpextms.pdbGCTL source: mpextms.exe0.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeCode function: 48_2_00CF06AF push esp; retf 0000h48_2_00CF06BA
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeCode function: 48_2_00CF06A0 push ecx; retf 0000h48_2_00CF06AA
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeCode function: 48_2_00CF063D push edi; retf 0000h48_2_00CF0652
                Source: bWrRSlOThY.exe.0.drStatic PE information: section name: .text entropy: 7.421934398841216

                Persistence and Installation Behavior

                barindex
                Yara detected Neshta
                Source: Yara matchFile source: bWrRSlOThY.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.bWrRSlOThY.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2592455877.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: bWrRSlOThY.exe PID: 3884, type: MEMORYSTR
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
                Drops PE files with a suspicious file extension
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Windows\svchost.comJump to dropped file
                Drops executable to a common third party application directory
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Drops executables to the windows directory (C:\Windows) and starts them
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeExecutable created and started: C:\Windows\svchost.comJump to behavior
                Infects executable files (exe, dll, sys, html)
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedgewebview2.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Windows\svchost.comJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to dropped file
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeFile created: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\Windows\svchost.comJump to dropped file

                Boot Survival

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32c7dec.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32d867c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.RemoteDestopManagerx86.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32d867c.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32c7dec.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000013.00000002.2813685167.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2164810535.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2769868231.0000000002992000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.3361345490.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4619895119.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: bWrRSlOThY.exe PID: 5332, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: bWrRSlOThY.exe PID: 5100, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RemoteDestopManagerx86.exe PID: 2308, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RemoteDestopManagerx86.exe PID: 5332, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RemoteDestopManagerx86.exe PID: 340, type: MEMORYSTR
                Yara detected Neshta
                Source: Yara matchFile source: bWrRSlOThY.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.bWrRSlOThY.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2592455877.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: bWrRSlOThY.exe PID: 3884, type: MEMORYSTR
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
                Creates an undocumented autostart registry key
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32c7dec.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32d867c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.RemoteDestopManagerx86.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32d867c.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32c7dec.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000013.00000002.2813685167.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2164810535.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2769868231.0000000002992000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.3361345490.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4619895119.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: bWrRSlOThY.exe PID: 5332, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: bWrRSlOThY.exe PID: 5100, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RemoteDestopManagerx86.exe PID: 2308, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RemoteDestopManagerx86.exe PID: 5332, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RemoteDestopManagerx86.exe PID: 340, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: bWrRSlOThY.exe, 00000002.00000002.2164810535.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, RemoteDestopManagerx86.exe, 00000012.00000002.2769868231.0000000002992000.00000004.00000800.00020000.00000000.sdmp, RemoteDestopManagerx86.exe, 00000013.00000002.2813685167.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RemoteDestopManagerx86.exe, 0000001D.00000002.3361345490.0000000002B32000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeMemory allocated: 3230000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeMemory allocated: 32B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeMemory allocated: 52B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeMemory allocated: 1540000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeMemory allocated: 2D40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeMemory allocated: 4D40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeMemory allocated: C70000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeMemory allocated: 2980000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeMemory allocated: EA0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeMemory allocated: B50000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeMemory allocated: 28E0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeMemory allocated: E70000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 1160000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 2B20000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 2970000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 2500000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 2680000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 4680000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 2DB0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 2F80000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 5080000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 12B0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 2AE0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 4AE0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 1120000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 2D50000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 13B0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: CF0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 2710000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory allocated: 2660000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeWindow / User API: threadDelayed 4662Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeWindow / User API: threadDelayed 5119Jump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedgewebview2.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXEJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe TID: 5348Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe TID: 6948Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe TID: 4992Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe TID: 5128Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe TID: 5580Thread sleep count: 4662 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe TID: 5580Thread sleep count: 5119 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exe TID: 5048Thread sleep time: -30000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exe TID: 5040Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exe TID: 5480Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe TID: 6928Thread sleep time: -30000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe TID: 404Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe TID: 3220Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe TID: 5140Thread sleep time: -30000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe TID: 7104Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe TID: 2924Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe TID: 5408Thread sleep time: -30000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe TID: 3420Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe TID: 3384Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeThread delayed: delay time: 30000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeThread delayed: delay time: 30000
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeThread delayed: delay time: 30000
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeThread delayed: delay time: 30000
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeThread delayed: delay time: 30000
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\Jump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Jump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Jump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\Jump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\Jump to behavior
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Jump to behavior
                Source: RemoteDestopManagerx86.exe, 00000010.00000002.2761460502.0000000000832000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: RemoteDestopManagerx86.exe, 0000001D.00000002.3361345490.0000000002B32000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: bWrRSlOThY.exe, 00000003.00000002.4617709059.000000000120E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpL1
                Source: bWrRSlOThY.exe, 00000003.00000002.4626044590.0000000005311000.00000004.00000020.00020000.00000000.sdmp, bWrRSlOThY.exe, 00000003.00000002.4626125498.0000000005345000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: RemoteDestopManagerx86.exe, 00000010.00000002.2761460502.0000000000832000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exeJump to dropped file
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeMemory written: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeMemory written: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory written: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe base: 790000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory written: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeMemory written: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe base: 770000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\bWrRSlOThY.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe "C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe "C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /fJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /fJump to behavior
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exe "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE"
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                Source: AutoIt3_x64.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeQueries volume information: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeQueries volume information: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeQueries volume information: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exeQueries volume information: C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeQueries volume information: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeQueries volume information: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeQueries volume information: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeQueries volume information: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeQueries volume information: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exeQueries volume information: C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32c7dec.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32d867c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.RemoteDestopManagerx86.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32d867c.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.2997de0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.RemoteDestopManagerx86.exe.29a8670.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b48848.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.bWrRSlOThY.exe.32c7dec.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.RemoteDestopManagerx86.exe.2b37fac.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000013.00000002.2813685167.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2164810535.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2769868231.0000000002992000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.3361345490.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4619895119.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: bWrRSlOThY.exe PID: 5332, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: bWrRSlOThY.exe PID: 5100, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RemoteDestopManagerx86.exe PID: 2308, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RemoteDestopManagerx86.exe PID: 5332, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RemoteDestopManagerx86.exe PID: 340, type: MEMORYSTR
                Source: bWrRSlOThY.exe, 00000003.00000002.4617709059.00000000011A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected Neshta
                Source: Yara matchFile source: bWrRSlOThY.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.bWrRSlOThY.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2592455877.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: bWrRSlOThY.exe PID: 3884, type: MEMORYSTR
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure1
                Valid Accounts                		1
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		11
                Input Capture                		2
                File and Directory Discovery                		1
                Taint Shared Content                		11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Scheduled Task/Job                		1
                Valid Accounts                		1
                Valid Accounts                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory13
                System Information Discovery                		Remote Desktop Protocol11
                Input Capture                		1
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt2
                Scheduled Task/Job                		1
                Access Token Manipulation                		12
                Obfuscated Files or Information                		Security Account Manager1
                Query Registry                		SMB/Windows Admin SharesData from Network Shared Drive21
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                Registry Run Keys / Startup Folder                		112
                Process Injection                		2
                Software Packing                		NTDS221
                Security Software Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                Scheduled Task/Job                		1
                DLL Side-Loading                		LSA Secrets2
                Process Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                Registry Run Keys / Startup Folder                		321
                Masquerading                		Cached Domain Credentials31
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Valid Accounts                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Access Token Manipulation                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
                Virtualization/Sandbox Evasion                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron112
                Process Injection                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523423 Sample: bWrRSlOThY.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 99 enero2022async.duckdns.org 2->99 101 edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->101 103 2 other IPs or domains 2->103 107 Suricata IDS alerts for network traffic 2->107 109 Found malware configuration 2->109 111 Malicious sample detected (through community Yara rule) 2->111 115 11 other signatures 2->115 10 bWrRSlOThY.exe 5 2->10         started        14 RemoteDestopManagerx86.exe 3 2 2->14         started        16 RemoteDestopManagerx86.exe 2->16         started        18 2 other processes 2->18 signatures3 113 Uses dynamic DNS services 99->113 process4 file5 89 C:\Windows\svchost.com, PE32 10->89 dropped 91 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 10->91 dropped 93 C:\Users\user\AppData\...\bWrRSlOThY.exe, PE32 10->93 dropped 97 172 other malicious files 10->97 dropped 125 Creates an undocumented autostart registry key 10->125 127 Drops PE files with a suspicious file extension 10->127 129 Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS) 10->129 135 2 other signatures 10->135 20 bWrRSlOThY.exe 2 10->20         started        95 C:\Users\user\...\RemoteDestopManagerx86.exe, PE32 14->95 dropped 131 Drops executables to the windows directory (C:\Windows) and starts them 14->131 24 svchost.com 14->24         started        133 Injects a PE file into a foreign processes 16->133 26 cmd.exe 16->26         started        28 cmd.exe 16->28         started        30 cmd.exe 16->30         started        32 RemoteDestopManagerx86.exe 16->32         started        34 cmd.exe 18->34         started        36 cmd.exe 18->36         started        38 6 other processes 18->38 signatures6 process7 file8 87 C:\Users\user\AppData\...\bWrRSlOThY.exe.log, ASCII 20->87 dropped 117 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->117 119 Injects a PE file into a foreign processes 20->119 40 cmd.exe 2 20->40         started        49 3 other processes 20->49 43 RemoteDestopManagerx86.exe 24->43         started        53 2 other processes 26->53 45 conhost.exe 28->45         started        47 conhost.exe 30->47         started        55 2 other processes 34->55 57 2 other processes 36->57 59 4 other processes 38->59 signatures9 process10 dnsIp11 121 Uses schtasks.exe or at.exe to add and modify task schedules 40->121 61 conhost.exe 40->61         started        123 Injects a PE file into a foreign processes 43->123 63 cmd.exe 43->63         started        65 cmd.exe 43->65         started        67 cmd.exe 43->67         started        69 RemoteDestopManagerx86.exe 43->69         started        105 enero2022async.duckdns.org 172.94.108.143, 49712, 7784 M247GB United States 49->105 85 C:\Users\user\...\RemoteDestopManagerx86.exe, PE32 49->85 dropped 71 conhost.exe 49->71         started        73 conhost.exe 49->73         started        75 schtasks.exe 1 49->75         started        file12 signatures13 process14 process15 77 conhost.exe 63->77         started        79 schtasks.exe 63->79         started        81 conhost.exe 65->81         started        83 conhost.exe 67->83         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                bWrRSlOThY.exe100%ReversingLabsWin32.Virus.Neshta
                bWrRSlOThY.exe100%AviraW32/Neshta.A
                bWrRSlOThY.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\Uninstall.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\Au3Check.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\Au3Info.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\Uninstall.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\Au3Check.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\Au3Info.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\Au3Check.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\Au3Info.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe97%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\Uninstall.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe97%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Java\jre-1.8\bin\java.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE100%ReversingLabsWin32.Virus.Neshta

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                bg.microsoft.map.fastly.net
                		199.232.210.172
                		truefalse
                  		unknown
                  default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                  		217.20.57.34
                  		truefalse
                    		unknown
                    enero2022async.duckdns.org
                    		172.94.108.143
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      enero2022async.duckdns.orgtrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.autoitscript.com/autoit3/JAutoIt3_x64.exe.0.drfalse
                          		unknown
                          https://crashpad.chromium.org/msedgewebview2.exe0.0.drfalse
                            		unknown
                            https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilithmsedge_pwa_launcher.exe.0.dr, msedgewebview2.exe0.0.dr, setup.exe0.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.drfalse
                              		unknown
                              https://crashpad.chromium.org/bug/newmsedgewebview2.exe0.0.drfalse
                                		unknown
                                http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporteintegrator.exe.0.drfalse
                                  		unknown
                                  http://www.autoitscript.com/autoit3/8Aut2exe.exe.0.drfalse
                                    		unknown
                                    http://nsis.sf.net/NSIS_ErrorErrorbWrRSlOThY.exe, 00000000.00000002.2592410270.0000000000190000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.0.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.autoitscript.com/autoit3/Aut2exe.exe.0.drfalse
                                      		unknown
                                      https://t.me/xworm_v2RemoteDestopManagerx86.exe, 00000030.00000002.4611188210.000000000271C000.00000004.00000800.00020000.00000000.sdmptrue
                                        		unknown
                                        https://www.autoitscript.com/autoit3/Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drfalse
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namebWrRSlOThY.exe, 00000003.00000002.4619895119.0000000002D41000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://crashpad.chromium.org/https://crashpad.chromium.org/bug/newmsedgewebview2.exe0.0.drfalse
                                            		unknown
                                            https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffmsedge_pwa_launcher.exe.0.dr, msedgewebview2.exe0.0.dr, setup.exe0.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.drfalse
                                              		unknown
                                              https://login.windows.net/commonhttps://login.windows.netDBSFetcher::CreateRequestHeaderOLicenseHeartbeat.exe.0.drfalse
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                172.94.108.143
                                                		enero2022async.duckdns.orgUnited States
                                                		9009M247GBtrue

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1523423
                                                Start date and time:2024-10-01 15:46:07 +02:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 10m 41s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:56
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:bWrRSlOThY.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:a2ce48432527c70571d0851c190dbc10.exe
                                                Detection:MAL
                                                Classification:mal100.spre.troj.evad.winEXE@76/183@5/1
                                                EGA Information:
                                                • Successful, ratio: 54.5%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 128
                                                • Number of non-executed functions: 1
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                Warnings

                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 199.232.210.172
                                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target RemoteDestopManagerx86.exe, PID 1524 because it is empty
                                                • Execution Graph export aborted for target RemoteDestopManagerx86.exe, PID 3384 because there are no executed function
                                                • Execution Graph export aborted for target RemoteDestopManagerx86.exe, PID 5332 because it is empty
                                                • Execution Graph export aborted for target RemoteDestopManagerx86.exe, PID 6476 because it is empty
                                                • Execution Graph export aborted for target RemoteDestopManagerx86.exe, PID 760 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtCreateFile calls found.
                                                • Report size getting too big, too many NtOpenFile calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                • VT rate limit hit for: bWrRSlOThY.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                09:47:01API Interceptor8613999x Sleep call for process: bWrRSlOThY.exe modified
                                                09:48:02API Interceptor4x Sleep call for process: RemoteDestopManagerx86.exe modified
                                                15:47:02Task SchedulerRun new task: Nafifas path: "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                bg.microsoft.map.fastly.nethttps://www.dropbox.com/l/scl/AADL_v5DzsoHwkyegIhk6J0bQm3A7UWklCAGet hashmaliciousUnknownBrowse
                                                • 199.232.214.172
                                                https://k7qo.sarnerholz.cam/APRjVfmkGet hashmaliciousUnknownBrowse
                                                • 199.232.214.172
                                                https://0.pwsinc.shop/?MKPT=IncGet hashmaliciousCaptcha PhishBrowse
                                                • 199.232.210.172
                                                https://swissquotech.com/swissquote-2024.zipGet hashmaliciousPhisherBrowse
                                                • 199.232.214.172
                                                He6pI1bhcA.exeGet hashmaliciousScreenConnect ToolBrowse
                                                • 199.232.214.172
                                                5eRyCYRR9y.exeGet hashmaliciousScreenConnect ToolBrowse
                                                • 199.232.210.172
                                                VD01NDHM8u.exeGet hashmaliciousScreenConnect ToolBrowse
                                                • 199.232.210.172
                                                vovE92JSzK.exeGet hashmaliciousScreenConnect ToolBrowse
                                                • 199.232.214.172
                                                s9POKY8U8k.exeGet hashmaliciousScreenConnect ToolBrowse
                                                • 199.232.214.172
                                                VD01NDHM8u.exeGet hashmaliciousScreenConnect ToolBrowse
                                                • 199.232.214.172
                                                default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comhttps://swissquotech.com/swissquote-2024.zipGet hashmaliciousPhisherBrowse
                                                • 217.20.57.24
                                                VD01NDHM8u.exeGet hashmaliciousScreenConnect ToolBrowse
                                                • 217.20.57.42
                                                tr5jscSEwo.exeGet hashmaliciousScreenConnect ToolBrowse
                                                • 217.20.57.18
                                                sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                • 84.201.210.35
                                                https://timetraveltv.com/actions/cart_update.php?currency=GBP&return_url=https://blog.acelyaokcu.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVdrcFNRMHM9JnVpZD1VU0VSMDkwOTIwMjRVMTIwOTA5MDE=N0123N%5BEMAILGet hashmaliciousUnknownBrowse
                                                • 217.20.57.18
                                                http://langtonskilkenny.com/rrUrhfGet hashmaliciousUnknownBrowse
                                                • 217.20.57.34
                                                http://hrlaw.com.auGet hashmaliciousUnknownBrowse
                                                • 217.20.57.34
                                                https://pokegamaclub.com/Get hashmaliciousUnknownBrowse
                                                • 217.20.57.34
                                                file.exeGet hashmaliciousPureCrypterBrowse
                                                • 217.20.57.18
                                                https://webmail.tallermultimarcassfk.com/Get hashmaliciousUnknownBrowse
                                                • 217.20.57.18

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                M247GBShipping Documents.xlsGet hashmaliciousRemcosBrowse
                                                • 89.238.176.21
                                                sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                • 91.202.233.169
                                                https://u47113775.ct.sendgrid.net/ls/click?upn=u001.NLjCc2NrF5-2Fl1RHefgLH74dDCI-2FlQUMQCuknF0akr34-3DPZ74_Bz-2FoIC9YMuvgy8ZsoekpZ-2Fn96y0OCAueT5LjwQn-2FX25AbFWdd2iGOJMfOUDymLwSDnjLWUuKOfyExMHrLPQc6sWuvBEF4PT9PwlcB-2BK9NQmoQucfLOeGSzPQg4J-2Bvn2C-2FT7DBGI3L6HQml9TPdefbzANw58o8IwtiN3AMNw21dRhcIy1JE5InQL6ZhzyniB-2FPrKB2Vn9uUJ7Mm1QrvUZh95-2FIqg1tkHnn-2FLCgLCOHUCdp1zwu5x-2Fprfv3kPHwI33RA9-2FJGY9xYPl-2BGH4uHP30vXeaFOwuVkWjx1bpQcAiato1uxhbL8AJAqpgT-2Bg5yQp7xXBACsCORIJr0VehkYFdFdFkgZPx7KSQblwloMm5OUc-2B9bb1d0siCBq5u36Pp2iCgmhq5PmipxmWr1HvrLZkdUUXJjpaRdjjEopb-2Fhw3b-2BUOpmNbUIJywjWyMBcUA9ScKtkpotTga2qo5ZaX-2B7AVyqz8KXtUfTb8SopobzuOWPiU-2BhBa8i7lRIGGQBQZmYU1TWv5mQ8uRPPf-2FWdH9RREF8cMLDET4k24yu8dJdqteeATx8Jfw8MWOWehX6ZTxJWGswooAVOvW116fDJmFNO-2F-2BecR-2Fd9NmRwCYnnK4Bh3IM-3DGet hashmaliciousHTMLPhisherBrowse
                                                • 172.86.79.8
                                                1bhYyrjyNk.vbsGet hashmaliciousUnknownBrowse
                                                • 172.86.98.166
                                                WQRNV7bMS5.vbsGet hashmaliciousUnknownBrowse
                                                • 172.86.98.166
                                                6L9vCf48mN.vbsGet hashmaliciousUnknownBrowse
                                                • 172.86.98.166
                                                sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                • 91.202.233.169
                                                https://timetraveltv.com/actions/cart_update.php?currency=GBP&return_url=https://blog.acelyaokcu.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVdrcFNRMHM9JnVpZD1VU0VSMDkwOTIwMjRVMTIwOTA5MDE=N0123N%5BEMAILGet hashmaliciousUnknownBrowse
                                                • 195.8.197.149
                                                C6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                                • 89.238.176.21
                                                file.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 172.111.244.109

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                C:\Program Files (x86)\AutoIt3\Au3Check.exeex - k.exeGet hashmaliciousNeshtaBrowse
                                                  DefenderControl.exeGet hashmaliciousNeshtaBrowse
                                                    KaUsrTsk.exeGet hashmaliciousNeshtaBrowse
                                                      LfZoUaTFP7.exeGet hashmaliciousNeshta, XRedBrowse
                                                        TQ1Aw6M5eY.exeGet hashmaliciousNeshta, XRedBrowse
                                                          rfQ3afwShz.exeGet hashmaliciousAsyncRAT, Neshta, PureLog Stealer, RedLineBrowse
                                                            vZ2HwQ4Vrq.exeGet hashmaliciousAsyncRAT, Neshta, PureLog Stealer, RedLine, VenomRAT, zgRATBrowse
                                                              69qhUXs68m.exeGet hashmaliciousAsyncRAT, Neshta, PureLog Stealer, RedLine, VenomRATBrowse
                                                                47SO85donJ.exeGet hashmaliciousNeshtaBrowse
                                                                  TBw6qwEBHZ.exeGet hashmaliciousBlackMoon, Neshta, XRedBrowse
                                                                    C:\Program Files (x86)\AutoIt3\Au3Info.exeex - k.exeGet hashmaliciousNeshtaBrowse
                                                                      DefenderControl.exeGet hashmaliciousNeshtaBrowse
                                                                        KaUsrTsk.exeGet hashmaliciousNeshtaBrowse
                                                                          LfZoUaTFP7.exeGet hashmaliciousNeshta, XRedBrowse
                                                                            TQ1Aw6M5eY.exeGet hashmaliciousNeshta, XRedBrowse
                                                                              rfQ3afwShz.exeGet hashmaliciousAsyncRAT, Neshta, PureLog Stealer, RedLineBrowse
                                                                                vZ2HwQ4Vrq.exeGet hashmaliciousAsyncRAT, Neshta, PureLog Stealer, RedLine, VenomRAT, zgRATBrowse
                                                                                  69qhUXs68m.exeGet hashmaliciousAsyncRAT, Neshta, PureLog Stealer, RedLine, VenomRATBrowse
                                                                                    47SO85donJ.exeGet hashmaliciousNeshtaBrowse
                                                                                      TBw6qwEBHZ.exeGet hashmaliciousBlackMoon, Neshta, XRedBrowse

                                                                                        Created / dropped Files

                                                                                        C:\Program Files (x86)\AutoIt3\Au3Check.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):275560
                                                                                        Entropy (8bit):6.2970746701197715
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CqP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0BwOvOIXM:k9q4VQjVsxyItKQNhigibKCM
                                                                                        MD5:C5611345B2807155BF89ECA90379AB14
                                                                                        SHA1:03A0F7BD2A50895DF6A9311DB3E5C58B574E1BA3
                                                                                        SHA-256:6AB1464D7BA02FA63FDDFAF5295237352F14F7AF63E443E55D3FFB68A304C304
                                                                                        SHA-512:18C164973DE987AD9ED1CFCB2AE5557238692B5C50E0F8B8DCECF0B11B2DADBA6C0B5990C532AE8DB578F04BD1CAB3086C78493866C8B989A41DD6251693CA98
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 95%
                                                                                        Joe Sandbox View:
                                                                                        • Filename: ex - k.exe, Detection: malicious, Browse
                                                                                        • Filename: DefenderControl.exe, Detection: malicious, Browse
                                                                                        • Filename: KaUsrTsk.exe, Detection: malicious, Browse
                                                                                        • Filename: LfZoUaTFP7.exe, Detection: malicious, Browse
                                                                                        • Filename: TQ1Aw6M5eY.exe, Detection: malicious, Browse
                                                                                        • Filename: rfQ3afwShz.exe, Detection: malicious, Browse
                                                                                        • Filename: vZ2HwQ4Vrq.exe, Detection: malicious, Browse
                                                                                        • Filename: 69qhUXs68m.exe, Detection: malicious, Browse
                                                                                        • Filename: 47SO85donJ.exe, Detection: malicious, Browse
                                                                                        • Filename: TBw6qwEBHZ.exe, Detection: malicious, Browse
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\AutoIt3\Au3Info.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):217704
                                                                                        Entropy (8bit):6.606010943993646
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CFxFVaK4T6fWSlXe0lJQafeyrR0kr/yh5DEU/Pk13TfwqiTP0McBUNnUxTtM:k9P2K4TSFo5Y683TdiQMcGNUl4N
                                                                                        MD5:D103610D5A97A461DE47D79EBC364E23
                                                                                        SHA1:B7AC0C939E39117C2FA939D47322A8B9FAF5AD0D
                                                                                        SHA-256:6CF772752F25B150052F17600F5D08876E87FCAF774CE834A896688B1836BFD7
                                                                                        SHA-512:97A467B62C96BF51CC5904B1EF1CB0D416364B2C835A326BFE7F5357823B07F5541C8DF5AD2195583ED108B90E5EDF820E2C3CAD42CFAA5FB67BF8CC1B9026E2
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 95%
                                                                                        Joe Sandbox View:
                                                                                        • Filename: ex - k.exe, Detection: malicious, Browse
                                                                                        • Filename: DefenderControl.exe, Detection: malicious, Browse
                                                                                        • Filename: KaUsrTsk.exe, Detection: malicious, Browse
                                                                                        • Filename: LfZoUaTFP7.exe, Detection: malicious, Browse
                                                                                        • Filename: TQ1Aw6M5eY.exe, Detection: malicious, Browse
                                                                                        • Filename: rfQ3afwShz.exe, Detection: malicious, Browse
                                                                                        • Filename: vZ2HwQ4Vrq.exe, Detection: malicious, Browse
                                                                                        • Filename: 69qhUXs68m.exe, Detection: malicious, Browse
                                                                                        • Filename: 47SO85donJ.exe, Detection: malicious, Browse
                                                                                        • Filename: TBw6qwEBHZ.exe, Detection: malicious, Browse
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):237160
                                                                                        Entropy (8bit):6.441042873341931
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CuyRnuBGwl/1Gc9QnvGqyWQ93kr/yh5DEU/P5kP0zU35iuvQBUeGMLu:k9tl3wdYtcH9b5Y651zU77Ea
                                                                                        MD5:3256A5B6BEBFC57A3CC7C74801B06B57
                                                                                        SHA1:7AEFDEDF3B79F68884A780082FC12AF565FE80DA
                                                                                        SHA-256:A2791E10861628C1AC263A540A6D575275F9E3E22A31BB62AB1320EAAED0C982
                                                                                        SHA-512:111928B9435B7F6721919E58C3248E985C1FA76EB2E9C18559374847C6B8F54499BE6FDA36724F568384A32F1E4D91EC6F0A51ABECFE585740CE1916E5205B09
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 95%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1675872
                                                                                        Entropy (8bit):7.455008835300499
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:LC51xB6B9YNgqe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+l:sK0eqkSR7Xgo4TiRPnLWvJY
                                                                                        MD5:3E25798A6593021C594E9B0F5E4D1CC0
                                                                                        SHA1:0F412F338A8323C62D21606629B121DDC5A11C2F
                                                                                        SHA-256:4ED44421F087BC78474EE5512BC85FDF8602D651C144CC97449C332E19B07C10
                                                                                        SHA-512:ABAF3628ADB6C48F606DFE67EB777EB3C2B5D3E635996E6E673E3183ACC766A5E0341F1FB79436268DCF0FFF6889F997A77344CC39CC65D06248ADE8A9F43991
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 95%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1841760
                                                                                        Entropy (8bit):7.348031538890329
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:5EeK2NocwiN/jc41p3qp11JsqbhOUe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+i:rfYP1JsEDkSR7Xgo4TiRPnLWvJD
                                                                                        MD5:A80324ADD872CA0150B9A23F0FE412D0
                                                                                        SHA1:D8B4074235B24DB9B9238FE7985C4D0A909297E1
                                                                                        SHA-256:6BB5BB976CDDCA2A12E007B6B65E675990ABE3819906069DD6DB5867C0AFD943
                                                                                        SHA-512:BC1AE9D3976F210F161EE1B8E43698C9B717E216B3E35F6E15C7D38FE5D82DEFB843104B0FBEF56842E7B10CF50DFE2206F7E5C2117AFF0D99AB7B4EE7708915
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 95%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):346624
                                                                                        Entropy (8bit):7.904139028422803
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9ypXDXz7yIrozs0WuNd3ojusBdgnNW6r4F53ttuGENGFdVCLEYnPO1D7YYoSyZV:V9zGImAjJdcH4j3ttzFdVCLNSfHoSWCG
                                                                                        MD5:4D2A6099D369E478E6B97ECA38DF66FF
                                                                                        SHA1:F8A2EFB513BC22A550E1DAADB7765D3691795D05
                                                                                        SHA-256:E8657C5096C1D6059D7862D842C93EE9D7C16331EFBEC02C99BECA1ACEF0E4D7
                                                                                        SHA-512:7BC01CBF7A591AAC71439A126940D1374B6BB49A3109651EB9525026EAB22AD70558FFB8723838C33830467D1B7DBE72E76BA84925BFECD405E10B83FFDF8A45
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 95%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):165976
                                                                                        Entropy (8bit):6.142151879298232
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85C54kvQ4gXIRSG+7IJqC3CJyoDjpBnjkP0XGx2SYg+b/Q+y1s3:k96nGZLknnj1X62SYdb4I
                                                                                        MD5:DC83EC579923AE57218540FC07BF2040
                                                                                        SHA1:E66D11E9A1E1C5FAD6A6D7B3F4ABDEB1A446A873
                                                                                        SHA-256:13E946747F9CD00EC7347780C1D0887C22EE43B8677337B32B0C9CA8070E09B5
                                                                                        SHA-512:3990D01D0B492961B1F15A15BA12E0213A5C5B72D5B2809B2A58BFF6A2AB2C37058540D8C9F8E5524FA6EBBE72A0BEB1317AA07D06E8D326DCC234EF4F82CC13
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 97%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1113176
                                                                                        Entropy (8bit):6.4474669878621365
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:wTC6Rb6qu1PyC+NRLtpScpzbtT7pyOolKL8Sq/jrc5xaNIBg:w+6AqSPyC+NltpScpzbtvpJoMQSq/jrL
                                                                                        MD5:17047620C59D9FE748AA05010D507AC9
                                                                                        SHA1:5B0D5B70529A435FF5BC75376B472393485C9871
                                                                                        SHA-256:C539E191A88228427976838CDBEC85CCDBD82540544615055E8F91BE803568D5
                                                                                        SHA-512:21EE706E62D205C09602EDAC232878743F46EEDDF76CD6625926F7C64E89AB27883497A1785D31D8D354E0F20C05C39F39566F6505450B9DB47D057FD7E5BAA1
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 95%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):2414080
                                                                                        Entropy (8bit):6.729178086017267
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:3EGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL8:U4OEtwiICvYMpfc
                                                                                        MD5:249BBE06632E2A230917599D7E07C3B0
                                                                                        SHA1:E61C25BBEBA924006CA9DCED18549C72856FC205
                                                                                        SHA-256:A232299F45362340795849140E955B1FE202928E21FF5BB016A03471C80A2FA3
                                                                                        SHA-512:537050319C5BC05A3DF9A5629CAD25FC2CD4A28078CF6932C0434F5FF135653300D90030D1F097607FD7257130D70A91B7235AAD82A07199891C25E8EE5DD8B1
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 95%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\AutoIt3\Uninstall.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):113233
                                                                                        Entropy (8bit):6.788395365702366
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CWCrNGEtajbefY/TU9fE9PEtuGCrK:k9WCrAEt+cYa6YCrK
                                                                                        MD5:BA9FF8A299799820F7252C401EA47ECB
                                                                                        SHA1:D8123BDB9E57F1364E304209F149360880F26C3F
                                                                                        SHA-256:6938E7E71C8AB309A57D7C7C2B764F888AD6A9B8807200E573CA6B7183B11FF6
                                                                                        SHA-512:A62D6818EFB2FAAE9012377319277B7E8F31FD32326EFE1011D1D874006B3C6020DC3F4DE429B9DD4F4B137E2954A0469DEF997692BA72DF21AFC0F6B505C54B
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 95%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):409608
                                                                                        Entropy (8bit):6.462760862163708
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9hvqF1Ged2RYbguEuFuTkdj+zRGa7JkjrXyPyMMWvpBVOaqahUqjAGT:LbgvuFuQdj+zRTJkX8yMhB3jhBAi
                                                                                        MD5:1641D233388AEAE9D77CFC976D5427FD
                                                                                        SHA1:C33533FCDC02E6255A1863102038C961E82BFD63
                                                                                        SHA-256:D996D5C70C926BD6265607C6536C2B575427F11046E5FCA5AC32768E2AE81EF6
                                                                                        SHA-512:A959BC2A3F6A96EC44EE1F58A0E5C6D791158D4935DE8357091A273F2120993438B4883A9C919824F7C6D91462F7B97C7BAA6B3AF4829B63204A5135D4895CDD
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):214512
                                                                                        Entropy (8bit):6.4940889932550885
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CxGnUI/9FXK4+PoSZSb5qURwubvvnzdl1CkTlxAenDl3SoxceC76JNKjzDI5:k9xGUcsvZZvUmubv7hTHA8l3yROJyDI5
                                                                                        MD5:BB00882A877F34EF5C0FB4FEEFE0C351
                                                                                        SHA1:79B64FE2910FF50820B0C83BD52857ADBAEE5AC2
                                                                                        SHA-256:45E860894975F6F06D453668E5A4BC99A9C9F20E1D10B29C889280C03FBD6174
                                                                                        SHA-512:C7EBBA30720AE9482D889C27A7434328D098A66CC08BFD6A4F96B92C7799FB6E3784BD63BA00E5C03F168D45B164DAB8953042AAF1D9450452C217A9C724AAB9
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):568400
                                                                                        Entropy (8bit):6.67410873638024
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:pyvTCXdXikLj2jR7trg6Qi3vYsKTU00vq:pyyLj8trn3wsq0vq
                                                                                        MD5:4742CA122FBE7E689F0AB4DCE9507986
                                                                                        SHA1:5DF6FDFA6E97A57A4F957EEB4520BA378F850B16
                                                                                        SHA-256:D91AA424DAFC703F0DD4173FDFAF017F8203D42F78E2219C21714E81F740991B
                                                                                        SHA-512:0643D24C897A268C2537F0EA885AB7C1263E1648AEE3350521C04695ABAABC2908C5A1F262C17A6918C30608D40D1B61A5EE9A0BB027BDFF9D8D6FA7AFA7996F
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1252432
                                                                                        Entropy (8bit):6.763931251276611
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:R0n7Ubxk/uRvJqLGJLQ4a56duA/85RkV4l7/ZeoMOp:S4iwwGJra0uAUfkVy7/ZX
                                                                                        MD5:B248EF0A955B4F85B13A4F2039C4F757
                                                                                        SHA1:B48E6437A4D0998F47606660AE97BAD147D2E873
                                                                                        SHA-256:E46F55F9E2C74FD3E46A67DA5CB29EB2458ABCF8134D2E447AE91F408B5CD3DD
                                                                                        SHA-512:EE58707EF36F8E0499CD45C985A91390241064F07CFB1F74B2F5AF1270631C5DB34A9F517F89C45EADF9D8914301C24A80359C22589934C98716E472AC21AB50
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):790096
                                                                                        Entropy (8bit):6.746361102520175
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:/MvcR0D0B6PyxoxIlZwM+R6R4uFjs1Z7FMN0TzJqccvbXkN58AuimIh:TR0gB6axoCfyR6RLQRF/TzJqe58BimIh
                                                                                        MD5:CC11EF3CDA871E739075E19C7E011FFB
                                                                                        SHA1:C0B20B62646FB9C3C3AAA61BA6D806AAE86FC93B
                                                                                        SHA-256:5F4334AE0F8BB573E6179BABD9C7DF94C0FA33A081390FEE7C04DDBEF1CE5BC4
                                                                                        SHA-512:4DF027A3FF53C549AE181C43BDA619460A373E96564B448C74EEFA5ECD820A39B51C763FA5FDCCED1939CF900E51826E5D6087272E91DD95629E2C7615B268E0
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):562776
                                                                                        Entropy (8bit):6.434910305077969
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9H0dzerObMhDGJ9UM3sunrXj9BMHmD1tYFLqY/W5R02qO7VKCy7KCzDSEBPj:peqbWqB3sunrT9+aYFLq3ny7JSEBPj
                                                                                        MD5:AAFEB56FD7F7B3864CE0172C11BFFC87
                                                                                        SHA1:8628FEF6AA9346B4CA3E0534632AC831DA737C15
                                                                                        SHA-256:8620ED2307EE8B35B5109D765F8BFBF8FDC2CF5D451E52706F9C5C2A13248609
                                                                                        SHA-512:16BD91F2F348D6FB6B35AD47225B9CF80AD0EC5D0BEB0AEEF7D84D9CE164DCE23DBAE529CCCEC7CD6577E115935D93913DCF6446C92499C96BA11E986271E5FE
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):127512
                                                                                        Entropy (8bit):6.339948095606413
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CqPo10JOSdnvEhEyr1hg9uCRFRzsxeZ:k9qg1MOc81hmRFJs0Z
                                                                                        MD5:1307001D8EECE24439EE9F2E353163CA
                                                                                        SHA1:0D5EC348BFB5B53CF8A0AEE1FD325BA0BAC476B2
                                                                                        SHA-256:D5842746263ED287CEFF18A1C03D784AEB007D7BF63D6548C324B21FE7B6F3D5
                                                                                        SHA-512:5A23D430C6117CC2467E2FBA4935829EED4752A6F10F2AEE81C66B239567BC3A3F2822D3A039AE450CF5CC89F27FED2E1EFCC8260D5A650AD3570671D65B247A
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):299136
                                                                                        Entropy (8bit):6.791456127636419
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9/0LYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:G0EbH0j4x7R6SvyCMqn
                                                                                        MD5:7663DA5345AED4E2CE3AE00F1569BAD3
                                                                                        SHA1:10BF6A77F04B10292030C2456066EB519A4F50A0
                                                                                        SHA-256:14093EE670E445270AD20D7451E89F37B7E8335C5EC73460A0154232852BA3C6
                                                                                        SHA-512:1F8E1BEFA7E2462CA5C0DEB8756DF7B8FFD71D82F09FA0B93EF9CA2D32CACB21688713F5AFA8053B9F83463E9253D428818AA9334202ACB147A608827E4027F1
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):299136
                                                                                        Entropy (8bit):6.793867878392893
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9/lXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:GlXCs/YAh/elvhI7Wd
                                                                                        MD5:BB0E7591812BC27C3D6D3DA565AF925B
                                                                                        SHA1:BCF62126B5381B32D7C614EFDFA30CF7F385463D
                                                                                        SHA-256:F251861114A4932B3AE9FDC95524EED50D2BD6DBE1E498C48FAE4BD095D4BD7F
                                                                                        SHA-512:EA133EB067DC32BE2EE47D1BC50CE77FA87DA2379CA5991EDB837EAED7BCE9BDAAA179A7997220E0D8520926F846D998948B92607DA330128D74B1E000E8E1A5
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):437888
                                                                                        Entropy (8bit):6.42684511221715
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:GGNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:9KiBLZ05jNTmJWExixM
                                                                                        MD5:2607BC5BE23EF6AFA96E1B243164745B
                                                                                        SHA1:50B602076CB054022A35790FDCF0512CA1D9B68D
                                                                                        SHA-256:EE438CBF24A8CC6303A4930BD3D84EA306C350A92384F3705364058BECAB050A
                                                                                        SHA-512:59C7C4CF7B43726B774A4BE770B5B02573EDBE035C3DEAC909EC3230A1A05A2E2D6814F08F9D81F9E86433748082D1A04B914C7444585D90D511C348C8367D33
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):343328
                                                                                        Entropy (8bit):6.646237652723173
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9zkTpB8HHvBjruphfgesnAhAOQp2EwckjQx+m8zhPLlZp3:OklinJruphfg26p2Ewix+m8Nln3
                                                                                        MD5:E08B11A49D68A60193D50788A23FEEC1
                                                                                        SHA1:5348D03F4BE33DE456F7E319C1F0F0DD2B281881
                                                                                        SHA-256:AD46D94722B50EED787512D44634295F8EAC6AB5851F75CC14B40DB095D18244
                                                                                        SHA-512:F397CA818F0F9902DC4111D240C6CE0E29B75477B4571D89BE9F4BEC2144AFE6E1BECC6058E3701B18C0090BF2FA15C8153173C024203655A3D757572E7E6DF5
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):443680
                                                                                        Entropy (8bit):6.399332197842204
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:r3gaHC2zUM2WJoROZVXk8hbodzbaw8x0Cx+wnx:rx5k8hb0Haw+x5x
                                                                                        MD5:BFEF6D485809D5E865C0CE57F5C30761
                                                                                        SHA1:67C6C40D604D094508A7A54B2C1B984D6B284B16
                                                                                        SHA-256:AF62AE439BF04032F161BE6720D989A4CF6D79F74916849D06F1118B77303B70
                                                                                        SHA-512:7F1715A1CAC7CFD1AC321F70DB92E1255DE06E6B98BD8D05F84219C729714DFAFA2C15B12CA55F5A3F7AE93FD53B74927D29F4627F27BCA7E65BC3D925A61912
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):203552
                                                                                        Entropy (8bit):6.1365331355493
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85C8aKavT/DvbEvK9aobNI2B+Nl4jz+b0atWH1TmFtotpcat8iKdlVST31OK8I:k98aK2h9H/B+rEtiPC
                                                                                        MD5:3F7B572F1D8E16AEB92DD112EA5DDCBD
                                                                                        SHA1:FE399BE4D0126B73A2F1793B205D75F52923913F
                                                                                        SHA-256:617E36E5B66F2D8C2CB7534E883744EF115F2F1EC8B8210FAD308E21338A78E6
                                                                                        SHA-512:B5E7D7601A159DEE555A0E98D0D7D0A1BD2EAB68931C8520AC8965B2C05FFFB66D0320EA79713645A4991017A1D753E68F01267311B1C35AD86BE9731D3102E6
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 97%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):149792
                                                                                        Entropy (8bit):6.511104209826025
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CV4vzT+PjZpsB+2h+EOXkMxJ7Rfp8K172YPrp:k9npsB+09zMH7cCxPd
                                                                                        MD5:931BA0AB474211B6F6F46DF9D2685396
                                                                                        SHA1:46B754C10E0CE63693C1E0C243A180E980CCE688
                                                                                        SHA-256:37AC3DD2183C224D3E32A772FBA419CB1B63E591C5DF6FA69A15989DA9B2C582
                                                                                        SHA-512:2E9913BEAECC96FC9BB5BA270B819B7D3FDA82BE9AFF739C294D74A3C0ED7D706A7584D872221B864C3297CAB8C9300FE4DED15A40DA0F687D8E1DB1D60A18FA
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):227104
                                                                                        Entropy (8bit):6.237873657819261
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9AWt9h8QlLISZWVRohcq7dvni3F8QrBA/:Hy9hdFIdRoGUxi35rBU
                                                                                        MD5:19AFE8347886BC20E0AE3FF3168E4A33
                                                                                        SHA1:C75BF52D95EFB4C1A07F0D55D7A25B765B366087
                                                                                        SHA-256:58D82570BEE9757A3615789DF93384BC28C77D4F0E60796C0A845265FDB0BADA
                                                                                        SHA-512:6FE092C3AEB098BC26AF41E64EAD35381C7E49BEECB1847A1DF7DBDBE2449E0826D888B49F099E28C3A752013BA9E7D0DDF256A8B3A57F3A60248A467CB2DACF
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):264480
                                                                                        Entropy (8bit):6.6429855049099995
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9YwCtJmRqyFmB6AOKmiMGwIAfx+iQ+FfFyLgG1da6edo:1w6JmRI6Bitwpx+iQafFykG1da6edo
                                                                                        MD5:9E4A1877CD2731B9DFCE6E0FCD7B5037
                                                                                        SHA1:45E966F9EF775DD94339782C3374597AA7BC17D0
                                                                                        SHA-256:224C2EE088EB5EA5D06DA228AB575A704FCF2328B3EB60613983236B13B5CD70
                                                                                        SHA-512:7A7A6185F7590B1C5BEB2D16DA1FF14BFF15E6EE5BF185562B1588E32F112765BAF20D84892C85299DCD2C1F7127950D78EB3D10EDE6C45727D1D737F022F8BF
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):149792
                                                                                        Entropy (8bit):6.511488043303241
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CZ4qR8vSZksB+2hdqecER5AhC48S1m2YPrZ:k9HksB+0YlEXAe6QPt
                                                                                        MD5:1F18312D69028EEB0E96580CBD36232A
                                                                                        SHA1:E90EB0E84B9D3693EEECAC1979E736802D7AA181
                                                                                        SHA-256:DD6FC425C8F737BA5054624F638AB7B4ECCCFE3A6A14C1DDF11FDE34B928557F
                                                                                        SHA-512:487A3C9E58C51210EAC60866105E1E3A6C1F1B9BE39BB958EFDC635D2D7BB7F382E7AC3500CF40B2B83DA16986B1B8982E79E51C452901AB9848AE80666A1B26
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1631792
                                                                                        Entropy (8bit):7.975199435773668
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:HR1kyOX3l3PScicR9iK5vS8dU+0BeId7JfroHKExAuRBAHToF4rMTgZYhA5QR5sN:/kVX3lfrFfR0BecCqKBs+4o8YhAKi
                                                                                        MD5:3DF71037F5D9E13497D95C8DA1CDDDC3
                                                                                        SHA1:32BF295FDEDCE06CB789BC243900AD405BCD2FA3
                                                                                        SHA-256:D5CBCA7E0315EC041C267A8B97DF0BE9AFA6618E2440E5FC673F473E89CB5A08
                                                                                        SHA-512:BFE93175001FFAF6B7F07B2B19D10AD7A701642D6316A19457F5C23C8E97ABB9518E17C058E8115377E0D39EF24C4641C0A3561C291A9D8455F11E6FF2907C3D
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1631792
                                                                                        Entropy (8bit):7.975199435773668
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:HR1kyOX3l3PScicR9iK5vS8dU+0BeId7JfroHKExAuRBAHToF4rMTgZYhA5QR5sN:/kVX3lfrFfR0BecCqKBs+4o8YhAKi
                                                                                        MD5:3DF71037F5D9E13497D95C8DA1CDDDC3
                                                                                        SHA1:32BF295FDEDCE06CB789BC243900AD405BCD2FA3
                                                                                        SHA-256:D5CBCA7E0315EC041C267A8B97DF0BE9AFA6618E2440E5FC673F473E89CB5A08
                                                                                        SHA-512:BFE93175001FFAF6B7F07B2B19D10AD7A701642D6316A19457F5C23C8E97ABB9518E17C058E8115377E0D39EF24C4641C0A3561C291A9D8455F11E6FF2907C3D
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):299136
                                                                                        Entropy (8bit):6.791456127636419
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9/0LYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:G0EbH0j4x7R6SvyCMqn
                                                                                        MD5:7663DA5345AED4E2CE3AE00F1569BAD3
                                                                                        SHA1:10BF6A77F04B10292030C2456066EB519A4F50A0
                                                                                        SHA-256:14093EE670E445270AD20D7451E89F37B7E8335C5EC73460A0154232852BA3C6
                                                                                        SHA-512:1F8E1BEFA7E2462CA5C0DEB8756DF7B8FFD71D82F09FA0B93EF9CA2D32CACB21688713F5AFA8053B9F83463E9253D428818AA9334202ACB147A608827E4027F1
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):135808
                                                                                        Entropy (8bit):6.396186166703023
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKmGyeVK7qjh3rmKPNbS7cZPxyqPEoCW/ids8nBs+s8nBs8m:sr85C/q4yutjZqMNbSgxbFrj8m
                                                                                        MD5:2DE190CF047A78DBCAB6E2216701D2BC
                                                                                        SHA1:9B490C017D00BD20562225FC684D426F44EE3C76
                                                                                        SHA-256:266452E14A03BE6D5B3CB049E5BBEA4C4787B4C18289FBAA212DFD8B1227B3C1
                                                                                        SHA-512:E1D62E8CFC1F441ED08ABDE8CD996EDE7636E48E67E0B1787A9CD0865C8885C1D56E736803BB20773EFD98768ADDCDB79C1489912F5D01E5BFAB231394D552FB
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):299136
                                                                                        Entropy (8bit):6.793867878392893
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9/lXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:GlXCs/YAh/elvhI7Wd
                                                                                        MD5:BB0E7591812BC27C3D6D3DA565AF925B
                                                                                        SHA1:BCF62126B5381B32D7C614EFDFA30CF7F385463D
                                                                                        SHA-256:F251861114A4932B3AE9FDC95524EED50D2BD6DBE1E498C48FAE4BD095D4BD7F
                                                                                        SHA-512:EA133EB067DC32BE2EE47D1BC50CE77FA87DA2379CA5991EDB837EAED7BCE9BDAAA179A7997220E0D8520926F846D998948B92607DA330128D74B1E000E8E1A5
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):437888
                                                                                        Entropy (8bit):6.42684511221715
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:GGNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:9KiBLZ05jNTmJWExixM
                                                                                        MD5:2607BC5BE23EF6AFA96E1B243164745B
                                                                                        SHA1:50B602076CB054022A35790FDCF0512CA1D9B68D
                                                                                        SHA-256:EE438CBF24A8CC6303A4930BD3D84EA306C350A92384F3705364058BECAB050A
                                                                                        SHA-512:59C7C4CF7B43726B774A4BE770B5B02573EDBE035C3DEAC909EC3230A1A05A2E2D6814F08F9D81F9E86433748082D1A04B914C7444585D90D511C348C8367D33
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):163456
                                                                                        Entropy (8bit):6.282119597857022
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CQ446dewltB2mNd/HOrveW1dexk834fRZ5Nyc:k9Q446d7T/H4X
                                                                                        MD5:6CAFDAA62D8747DE46D3034200B28419
                                                                                        SHA1:939138E4EE0DE785F062DBDF928465EEB2653510
                                                                                        SHA-256:F8C97B577C19232F795F72E2C81D343E7E4CC1A219350419A7FBE781C1FD82B4
                                                                                        SHA-512:8A390C6A4FB272AC4ADC80018E548AD656504901D580BD6FCDBF9DC6181435FD36AD46B396421F8957E38CE6D981324DA93BA5217FFCF78AD1AE7F2C8BC868E4
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):127104
                                                                                        Entropy (8bit):6.0679650494656965
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC3s8nBs5s8nBskEsz2zy77hPxIAbBsnzA3QDkrDW8Kq5ns8nBsb:sr85CaUkEsqzy7pxI8BszFJqkb
                                                                                        MD5:80063F8042BCD9F08243437E883EE0B7
                                                                                        SHA1:B28DFAAF22CD52264358AFCEFC9272B65DA021BB
                                                                                        SHA-256:77D52E65380CDF4E98EBBF36F578A5A1406F4BF9D53C434FFDE323AD833158C5
                                                                                        SHA-512:BD4FC5327D74C0D9FC1A75DC9781AE5F3C147A83E4A22FD7FDBAC370E1210C781A51018D798BC5F39C9A9804E43F56649E548C562D59BB4371ED473113B952F0
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):223360
                                                                                        Entropy (8bit):6.089485930964728
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CIySSyyXC2BZC5vHa2L8jv+UII6qS2AroAxYN35gwxcPXtxdTsVcCXFzlZBD:k9oSyMZOy406qS2AroAxnw6f9JCXN1
                                                                                        MD5:8AC992B3CEE15917902FCF4E1BB88AD1
                                                                                        SHA1:278D893D5B43C8210F04986205F42D7B842B49CA
                                                                                        SHA-256:2A5F8A9115B28D6E242EC13E0C9B577FC55A4B23AB7605CC6F4BCB7645A7A905
                                                                                        SHA-512:4ED4B2E050D864F66BEFAA8D587972B5219064D5EE989F36FDB410865D30467EF60D6A1B14D53FF6F6E408644059E473134E74BD8B4AE841D1D74F2642649381
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):203264
                                                                                        Entropy (8bit):6.630784933207718
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85Ckwl0hzyfN7T34oshWGrAUdaz2w9Lf0M/RHym:k9ZiFIf34hcUsz225/
                                                                                        MD5:FD99F4BAC9DE9CEA9AEBE10339376F46
                                                                                        SHA1:657C4D31907420906F6B76E7202DBC8D1ED642C7
                                                                                        SHA-256:D40F5C5B2B8267AC486BF5E68ED065502630CD8D5C38C84773A3CD8341DE3479
                                                                                        SHA-512:360A69F494DD27CAB49FC0FBC0A3507593D97D65D41C7D9E7489A89385D1E6ED42F9E4109A3585425F19AC6DD3A19A281CFCB4CCBCB9BBDFD4C914404487A9B5
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):209912
                                                                                        Entropy (8bit):6.339745236465328
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85C6fSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:k96fSoD7q/fji2SUKz7VHwmmtj
                                                                                        MD5:57C91EFB667D78BE5744B415C921B0D5
                                                                                        SHA1:875B5401BB112BE99BD150C7F74E5193A2189885
                                                                                        SHA-256:2ADC50C04426A03D30F96FD5E11F16167DCE5AE4E3202FF5F6A21649DF965401
                                                                                        SHA-512:A4958FDA3A3C70A61585A7D0D6DBA9BAFACA06FCB3D242924DA41D3CB57A604B8351DA663BCBACDAF57EB833265C511B77148B9FA12B60468540EB7E0B3EE897
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):209912
                                                                                        Entropy (8bit):6.339745236465328
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85C6fSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:k96fSoD7q/fji2SUKz7VHwmmtj
                                                                                        MD5:57C91EFB667D78BE5744B415C921B0D5
                                                                                        SHA1:875B5401BB112BE99BD150C7F74E5193A2189885
                                                                                        SHA-256:2ADC50C04426A03D30F96FD5E11F16167DCE5AE4E3202FF5F6A21649DF965401
                                                                                        SHA-512:A4958FDA3A3C70A61585A7D0D6DBA9BAFACA06FCB3D242924DA41D3CB57A604B8351DA663BCBACDAF57EB833265C511B77148B9FA12B60468540EB7E0B3EE897
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):264144
                                                                                        Entropy (8bit):5.863490790187712
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CQPEGT3EB2e1aWGNU6ITL85x0HRerzJ0YF6OYLy0PPDq29BA+7891:k9QPEC0QjWGNU6ITL1H0zvjkBA+7891
                                                                                        MD5:1FD92ADE57DEF19C2D5BF4A14AF53373
                                                                                        SHA1:88335A048A05FCE5F5F23411D07AAA53DE05FEBE
                                                                                        SHA-256:7BF6EB7F7150A749DE8581C55BA2E0EB2317B17AA39E39466C22F8E537892070
                                                                                        SHA-512:1035D82569254BE103EC1A2BAE83F02072A17D7C67DC2BB62F1AADEBD06E3A85FE3B352CED35EC166DB4DA7A06489AB839312CACA2806C544B0D064FD1A8BC6F
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):430680
                                                                                        Entropy (8bit):6.627953214122613
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9Bmmt0fSoD7ZAOhPiURg/4KAaxZTTlvIfaUcuI4hWxBP9SGO0zyqEL:Dmt0LDdOUO42ZdocuI4kxBgGONqEL
                                                                                        MD5:387E91F4FB98718AE0D80D3FEEC3CBFE
                                                                                        SHA1:2A4DEB9782DDE1E319ACB824F32A19F60CCB71AB
                                                                                        SHA-256:2AF36D2872119856CBA456CD9BB23623CB05E8957D74EEADBCD5DED57E17F5E5
                                                                                        SHA-512:1C6029F902DB9F190985B64AE4BA18CB3E770A2DED56511A32C15EBA86198E26B1C8F3BEB399249AAAA9854C72EBF2C50446182F616345004F2FAAD062FDF8BB
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):4473576
                                                                                        Entropy (8bit):6.569965325360163
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:pkkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:pkkCqaE68eV+0y8E6L1
                                                                                        MD5:809D03153D2FCC1C9E1EE574DDF7CD2E
                                                                                        SHA1:CF1FC95A34AFC5A2FB39504D973BC8380A04BAC1
                                                                                        SHA-256:C2A715F1396DCDAA9360FB09B89992EE8619362062DFBD6C90CFF751C5272032
                                                                                        SHA-512:094FE1BC30027336DFE6A32520DB39D8D27AD1A69716E7E00D6B66D44CFB4EAADBD8D48B6D80BC0D00C60EF0E3483437C82D2185BD704137CB544B11063820DA
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):4316096
                                                                                        Entropy (8bit):3.9258169272505024
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:nPNLniBaEJhRELqS/rhwov59SRZ5Vb9sybbsK+0rnsQ:PNLniBPJhRELqS/rhb59SRZ5Vb9sybb9
                                                                                        MD5:D303F362090140A192699993B9B481CC
                                                                                        SHA1:EA2783C188FBB317661F1FC3A0CB4492BB8EC80B
                                                                                        SHA-256:DA0ACD313E47ED22E9D7EB3E3E540853B8EA43172CA0CDCAC4E0447868B2B16D
                                                                                        SHA-512:12932A51ACDB0D184CA0AD6B7B1B9B72C8EF698B19B5747BD45DB6EAEB792B942089D62F5AB43106BA840E50D562092FF0056D3A2BAA97E353B2AA64C433242D
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):94600
                                                                                        Entropy (8bit):6.442216424962596
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCgELjOzHKd1XI/etzCJQx0cxnIO/IOmOe:sr85CgE/OTKXI/etG8ICILJ
                                                                                        MD5:3F61817FF96973951F7964C30D7B3E0C
                                                                                        SHA1:206328C89E5552AAFF1C232D4285EF70BB305CED
                                                                                        SHA-256:0F2597EFBF9783DB37DE336D0F7C2F2906E09173873EA105C79EAE1B56E8F95D
                                                                                        SHA-512:C2394D49EF23ABCC1C96DDF60111D2272920698D962F769B3CBB7D77493438201E5B1FB7B196ECE9B709A7DC2E03B26FBCB74699CDE4B1B6AA56C869F287A47B
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):101496
                                                                                        Entropy (8bit):6.2502810194516245
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC2vpz3ktxGvpzvy5ZWGalHFmMTK0KRTS8bOzc:sr85CwToATzvmN0KRm8bOzc
                                                                                        MD5:FA4CEDA48FE9CEA7B37D06498BFCAD93
                                                                                        SHA1:C85C170D39C0BEEA2203B0BEA30C19AABD4E960D
                                                                                        SHA-256:BFD637624C2C9B5ACDC470E589795C7720710782B618830E70D4C08F2498D64F
                                                                                        SHA-512:B95C63A1DDA19FFD988DA77C38E04BAF600C61C32FD231981B6577B351A5D8DACAD0A6923ECBB05692BE06BCCFC365A7AC3AEFC957E25D56C7A5B81CBEA4E208
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):455760
                                                                                        Entropy (8bit):5.934487072040942
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9fwACThwS0vn9IdRsLGEJTdPA6lDfZNAGVx:KwACThwSSn2dRANtlF3j
                                                                                        MD5:EE7FE56AA5473C4CAAF6542F9C89E3B5
                                                                                        SHA1:F94831FB534FA38C6142CE1A73883A5F181D47CE
                                                                                        SHA-256:AA77B4D2A82911CFCC76EEB2184FD513F8E8DABB39B90019E7F051172CA128E2
                                                                                        SHA-512:EE7A769F162F3E4A55A8653F51D601DBEA53533EDBE6F52A96077234E6367FA835EDC9F2DF76F56715EFAEA618D4A77C64F7875725BEF5AC9F5D0E1F799DFC37
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):225704
                                                                                        Entropy (8bit):6.251097918893843
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CHLqB8edYkIrv6TXRw9xwqazULDjkAJZo0RAjUIqXfkRC:k9rjilq8OPwRzso6AQ5yC
                                                                                        MD5:D2E8B30C6DEBFCF6CF8EA10E95D2B52B
                                                                                        SHA1:E907D9A5B3AC316E5DCB4143A8B9466A548CD247
                                                                                        SHA-256:2EB9FDCC1BCD91C9734390A0F9543B6DEA8A934F71D14D304D0DFEBD9ABE1608
                                                                                        SHA-512:811C739AEED909E5F977E3C69FBBB6DD57FD9A0C5D644129C41D298279C369F9CF8482230DCF7762AC6B38958CC78255B1B2A9261ED0C897E9CF85244F056A67
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):84928
                                                                                        Entropy (8bit):6.496286535630211
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC367wZClMML07MiapFmPRHyzMwzobtM+zf:sr85C367wZClMMQ7MiawHyzMwsL
                                                                                        MD5:577ECDB909EA638F824698FC9662A65A
                                                                                        SHA1:EF5B3EF16FD6E4FCE04774B001C229B091B64242
                                                                                        SHA-256:917362177EC459D22BC88ABB9EA65E385B50A664A9D314AEBDE4AEE3D4ADDD69
                                                                                        SHA-512:2D30E0328E250B90731269650174145A7E0993B76D43A90BAF93E05DDE59B7930199755648C90BE80BB11AD7ECE5555C1F54991E1146A62D1985958E6533A854
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):83816
                                                                                        Entropy (8bit):6.5486905453129385
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC00s7wZClMML072apFmPcnGzLHyxz5pOEtmwxz5E:sr85C0t7wZClMMQ72ahnGzextQyxtE
                                                                                        MD5:0A60BCB1B4624AEFC401299CF4AC158E
                                                                                        SHA1:B213E9E2C230E850B70EEE7670A9961DE0DD3B92
                                                                                        SHA-256:377C6042F55C5245E950DF6C58C8E541F34C68B32BB0EACB04EBDBD4D4890ADB
                                                                                        SHA-512:B6F2C7F1CF562988BC0B4F45D3E36062C08A640F0CC99A3CE05DA121CB107716193FBE3B9B6012B77712FC8832D3EE19B9889018815F414C1FF0DB1EE5EFA898
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):233832
                                                                                        Entropy (8bit):6.444055281477179
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CUW32GhNvMQ/58sl2U2Gszlz4SNBZCgMWku:k9t2GhN0lsdspzPgg1
                                                                                        MD5:C541C4556C5B21907107E916D65C5212
                                                                                        SHA1:E70DE78F3C4FD8A9364FD54A8283523572F07F60
                                                                                        SHA-256:99669ABB3F0C6A61BD44D379FFBC5712D2AB44E63D1071E1B699E46DAF279358
                                                                                        SHA-512:73761E8DBB28A0A83BA33236CC43609CB11B64716A3CC0EE1394D1C05ED9BD71791566666EBE8B159D13FE3A1B90FB473B865AADAFA69DD3E4513824F1959793
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):502632
                                                                                        Entropy (8bit):6.71908645689974
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k90WDxGH79J2VX5gEpvm7JA8I6BHAlSpFG/+Ls3ze30xB7zq2zs:kMxCvm7JK6JAB/6N30xpI
                                                                                        MD5:266F86A29B1E6B8B760527C50DA9D660
                                                                                        SHA1:2C054027DC591063B47873D42D973B38B3BDE3F2
                                                                                        SHA-256:F30F2704E1BD0F7B173E9DE79D3BA9FA3CB1B494C8BF20FB4768B5D5EE6317CA
                                                                                        SHA-512:1672AEA98C6142E995BD018CCC8FC7836A05E6A5062C7B615D7C5D04E3E80EC4AC37DAF999296C2F095C4FD2A8FB38766DE09BACDB574266DF0257E697522D78
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):352704
                                                                                        Entropy (8bit):6.38536686774314
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9+EshacHeGXduZtZ9zHVcI3uv7FgR3FTzWQ/ZZyp1:ysHHrtuZtPvh3FuQ/jyp1
                                                                                        MD5:51D8F20B8D5103A7A909B107B6A3B7E4
                                                                                        SHA1:FB4B5534EB81A82E70652870FC68DCB8EF8C9A6E
                                                                                        SHA-256:BBC6913BAC290E98B15A7F65E9CDAC0607BCE18A32CD3DCD1D7EAD307F0B51E5
                                                                                        SHA-512:77A398F43351031F2B6EAACE03F787E49DE72A1C937A24A2847BACFBA8A1FE76B2B031524530E5E5B2648B6B0FA87B53104A92B1A216963F2D233E0D74D03D16
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):4395184
                                                                                        Entropy (8bit):5.937082520516123
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:mXuo5RMru45b5dZlAj0sqW7YDKMzVwgBWMTwLe7G:oR345NRAgsr7QH6h93
                                                                                        MD5:F57075B760A0D881010E15505F0C483C
                                                                                        SHA1:0ABC231159F339F651595E385EC7B466E259470C
                                                                                        SHA-256:3D0EEB0CB3BFBCCB167AE0D1AD90B8EFE17C9B88D491AD5D14A0EFAB223D6E21
                                                                                        SHA-512:64D97EF9B435579D883DD5C08967737D868C6A6B6347E37E248C5DDFB47FA726B712DCABC179EA62E0A936692355766FC06BB4C1DA3087B81092942940068161
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):603928
                                                                                        Entropy (8bit):6.530305704021743
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:bzKRgqBDxoiPCLXHLuk/Wg4Reh2mbeF+IGboJdx:/KgMxoiPoXruPi/++IvJdx
                                                                                        MD5:8F1CAC64758ABE414CC4B882EE8519B8
                                                                                        SHA1:7018BE9C3FCF4FB4F8138869F9CD40AAB0C9B1A4
                                                                                        SHA-256:110E1BBB7A4F7A42D2099D8A76F068DDE01D63C28D841AAF06D3EA872F261716
                                                                                        SHA-512:19F81CA57D67C8D8B784817E88C10E7768906F019950914B391DF69C2C537380296D1D4B92F7070ED25582E9EB7C015E797D3131D77A70CCFF690CDD39CFE4EC
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):507024
                                                                                        Entropy (8bit):6.145143458075982
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k95yrmBq0RYSv3A5DhW15yChMFt2XTNJWLgCWzzYhPRt+:NrmBjYuALWJMn2XTmL7hPH+
                                                                                        MD5:F6C667D2590E5294F3272D9576BC3051
                                                                                        SHA1:13D893A1521C8BA8D1FCBE11EE0FD16F2E0194F9
                                                                                        SHA-256:03966A5548958182569400B6098219CDDB1EC6C5BCCFB5391A36F66E9F517FC6
                                                                                        SHA-512:E2FE50A7EE86D8B05CCE91C9F0CA07A24C41631A317F38AB380C996475BD8B9CB05BD7B9D49968AE87442399EE7312C69169447B3D527B539F0C8C1920D986CD
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):251560
                                                                                        Entropy (8bit):6.621260401843092
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9BomAAOwPcPIqk4Vsvt0uews+qZP9zOPBxGiryKI:4sAETlVsKzZPixGBKI
                                                                                        MD5:3DF5147DBAC00F92DDEE6D22533EB194
                                                                                        SHA1:F7ABB04F99361465F9FA9193E1ED06B49381C688
                                                                                        SHA-256:A5BD7911E7F7FC76E27F5BFBF2B4AAAAD9FFE0FD304B65D87783409629EE8B25
                                                                                        SHA-512:84ADC24DBDCBE9EB9A5BD77BBC0F1BC1E59E4C32496F4A435D85ADD042F7FEFFB0FD21D459D62F0BCFF7655CB3262F7BAA491F6947B5F4ADCC650A5B10FCE3E8
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):751720
                                                                                        Entropy (8bit):6.631735781680161
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:DdI8PdgELg6eaBlnjlZcTerWv+xdeFhvCs9TukINOW:Da8PWELTBlZ+erw+xdeFUsUkEh
                                                                                        MD5:8A6DCA4D7B31FB7626B5FB7430241040
                                                                                        SHA1:258B527B5F6B30411C8727107B29AB9300163817
                                                                                        SHA-256:6DFF05FB541A8D3B7847AB3197422E582AA021963A9C4BF63C44100180CF22F5
                                                                                        SHA-512:2A9714FE31814C0ABE13F59ED77A8EACD0CAF2BF9566FE9B9B0240A942EE5BF5425A5E523F2C51DDBE8BA977675753074901C211A42D899F7AF9F47890280693
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):161968
                                                                                        Entropy (8bit):6.528134300921485
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85C9NDS5lS1jITI1FeBT77NDS5lS3j+Wzy6oUSA7hZ:k99NDS5lSxFeBTfNDS5lS7zUrsZ
                                                                                        MD5:9A962710D6C3F23726E18BFDCF7D5BEE
                                                                                        SHA1:01AE9DB82D4B7E365E30B4A2A930B74FB8C0C5DC
                                                                                        SHA-256:17D163C4C9AA325EA07FB5E5EFCFC3A308D30D71C7A19BF663350F978EB6418C
                                                                                        SHA-512:0D51336AF8246C7B6EC30F506206198A7873106E07995A69A51D059FA5F83BC0BE6E6744A0D0306DBAA811DF623239FB472880E7C87AE83CC9BFCE70E7C2960B
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):159560
                                                                                        Entropy (8bit):6.577583568198119
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CIklWPsom9TiWWWWWWWQM+FtWAzhIwaeENinkf8xw3xUFv2tGPrtPmF:k9ab5zPaNQnBxw34Oita
                                                                                        MD5:04CD44B46689C390B61090CC9AF0DFC5
                                                                                        SHA1:DC21D958A5D799B45AC721528216E981AD9FE73E
                                                                                        SHA-256:19E2D4135729DEEB6086A7B6E50CC9CC238DC19F199BE40CFF80A7280A9D7A8C
                                                                                        SHA-512:7D91066D2D02853B9C71C1D691D1315E0CBDC1111AEA83A4A45CB40AAB26A53311386579BA93AF557C9074D4D69E0D265B13C41A384C23BC254911591C0C8B5E
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):2233240
                                                                                        Entropy (8bit):6.2971498741833525
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:LDZgOA74U4o//sbtwvZTqFDk9sg71SmY90gh/G7QJoma+9duNGeVG29H:vqHVhTr5UmY90sGE5dIDG29H
                                                                                        MD5:B30942151231700F5D6432BA1B1A0C0E
                                                                                        SHA1:670E354D40154284F518603B702DC0B7EE94DF82
                                                                                        SHA-256:F8677E5F13CEF8B175C10B333927AFF942E46A9F0C73BE91E9BA8A424B878ABD
                                                                                        SHA-512:8652C36DF9B5A8B245E3F0A4AECEC55E46B55D18020A11AA0BFC0BFDB532870AE06CECFDBC15000B287E171177570A4EFEE44E2F2EF9B228221C93074A65DB37
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):214432
                                                                                        Entropy (8bit):5.994507792871334
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CIVFptXofXXXXXXuh9gLzltw6Q1hqOJHrtTh:k9YtXofXXXXXXASLzb9uhqK
                                                                                        MD5:74D1B233AC72ECF698C6A7C899B119BE
                                                                                        SHA1:EEF35AD9326A5A3E3E9F517DAF69D57D0B700DD3
                                                                                        SHA-256:A74DA825D78F461489E405F90CCCE848699A5548DA0D921864486DC95F18BAF6
                                                                                        SHA-512:FA9D2E78E79A108AEFCFAE48D040EAF500B72B77C3F62404565D257642FC848405FEC7364A8F1F98EEF00B5725C25A77B5C4B37B3CB60A0DC3909A2FE3C5D6C0
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):620840
                                                                                        Entropy (8bit):6.585082275251885
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:ioBdI/BUQtsfBCegl2eccL1q/xRyye7BfcwqEhDe:ioM/BB0Bml2m1q/xRPCcwFC
                                                                                        MD5:91F300014FBA9310BBDBE0CFDEC9A819
                                                                                        SHA1:8091C24B7EFF0215CAF7424ED956322E0E9B4476
                                                                                        SHA-256:450D510099056DD9E931D0094D6963A07544E91B3D84A29CA05223C35273A22E
                                                                                        SHA-512:B39BD37C0DD05D81647E4C42F0E43CEC41DA0291DAC6F7E10670FD524635086B153025F4E4450ED1D51DF6F9C238DC7BAB3DDCDBE68822AEEF9B79827EE1F0F6
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1568248
                                                                                        Entropy (8bit):5.675955532170124
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:+wF+k53zCG2tIuQ6DtJQSZDhLOhkZzV5i9w/lmd+jrcUiACW:bFXG6uQ6D9L2uV50AlmsjYUiAB
                                                                                        MD5:59BBEC68CF2ABBE0AA71761A90902F8E
                                                                                        SHA1:CA4DE80AC4640A32C495FCE0237F46D45565745C
                                                                                        SHA-256:2289860922074D80B8F52D6014A3002061616342E0CA952A6A6608E83434F8C4
                                                                                        SHA-512:4CED0681CC7B5F9F40E4F7496F692A55C71C0DB1E2DBC93C08D8415DF9914F01FA8E45AA9FD276305DF824B7C3742E39BAE005CBB4A851B9E264E5129216B43E
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):634800
                                                                                        Entropy (8bit):6.709073721775351
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:jf/4sOdw+RfEB6tuAlnWhGZco6ijmn5jFTSt7yCPUkazi7JThVoSZeR6aQTJ:7/4Vdw+Ra6V6g2kazidN6SoEVF
                                                                                        MD5:93B1C57F0B5C441FF47190254B01C47D
                                                                                        SHA1:8DDFB09946D30CFC78B8D9C4DA9AB19FD0EAE045
                                                                                        SHA-256:846FDD3E11DAE5A991888539674DFB6649A1960E724CF72E2D8E37A23C357609
                                                                                        SHA-512:5B15EBBCBD69C6BE2CCA96D6C0635FFADD5312BB8EE7FFC6A655D191F5EE25EEEA20EA95D92EF45B47D5AC54BB3216C74D0D4DAC3DB1C5A18B0230F285D5B588
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):748192
                                                                                        Entropy (8bit):6.713281323235293
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:KKxLM1deLycUTc1kZi7zb1QRHhhj7WGvF5PYcdTFtZ3G97aSDGGHrbTwqFwydBf6:KyY14evTc1kZi7zb1KHL8vbTlwOBC
                                                                                        MD5:D995BB9A7D45C056184104F03848D134
                                                                                        SHA1:794094754972689F4ADF9F876F60440FA74FBD2B
                                                                                        SHA-256:CD263241B90D11DB8E0A0EE42D47AB1F7517675F53C2B8D92C61471746BE2276
                                                                                        SHA-512:89C4B7AF03DF6B2FE3BBF56D476497E9102B0ADD24552A78D164DDAEE453AA1760D12EB4ABA0501A58BD5F00B00DA36CA0BEDD542B271DC08ECFFF9395495643
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1917048
                                                                                        Entropy (8bit):3.840447707777205
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9GBeXsm81c57ZXFzY5Ucyw4TapP25xxlq4cUcMeTOMzwMwZ:DKs78A5UcyOPexxPcUcMeyvZ
                                                                                        MD5:87330F5547731E2D56AD623ECDA91B68
                                                                                        SHA1:273DC318E8812B3BC6457B0EBEE15F9A7F1D0C5E
                                                                                        SHA-256:268E93C44BE7EFF8D80A2B57427FCA2C98E9B08B3E865FFD3C943497AF6408FB
                                                                                        SHA-512:DF4DBF95080AA5378E2E0BC5BAD584C6C63ED6464BB855F84AB315B00B9CE08948BE4C69D7442C2BB96969E69596964510D2FECE737CAE39833628183550D19E
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):4099520
                                                                                        Entropy (8bit):3.72186927452059
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:zyKs7cvZIFpCYVIUN2mGsb8HtkLaHLH04cLbUBRjLmP29DyZbT9oc/m06aCzE6hE:zyKsY+dy0ZScIBqBT11S0
                                                                                        MD5:25E8600B1421194802B2569899E75383
                                                                                        SHA1:01EFD3FABD4EDF0733F46D91FB9109523E943C15
                                                                                        SHA-256:50280C7E926F959E876BA1BB0611F6C0BAB04EDCEB300D936A887FD3CC9EDE1B
                                                                                        SHA-512:DD49E97D675CADA18BA0EC91B4B0A6DF16A86D17344099E3265D3FAA8C576106DADE231C2829FC1D758EECC24343C6AF345CABEF16E91B3854BDA3824AD61541
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):452120
                                                                                        Entropy (8bit):6.067280009012926
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9xvhCpFviM0OKAOVf3m+2fCz29fx8/eAeTu:GEpFVKj3mFn9q
                                                                                        MD5:7EDAA2971D821AB859302C57099296BF
                                                                                        SHA1:3D7F419C517B8C3F3B881E7B248D2C4F7723664D
                                                                                        SHA-256:CDB80830E3601071C86E0725AE58C9EDCE109BA793910F8C994526EC4E98F275
                                                                                        SHA-512:4EB61A55475E6E87542748AE5C4CCC5B07C4840BF95A84342F09FE21C193B3C4040C27237EEFA4EA469180D24D44B591B1F2833441E456F4E2671A45B9D24121
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):116664
                                                                                        Entropy (8bit):6.595026282405323
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85C/uGaz7jFQ68ICP5q0WISDr34W+wst:k9/RazrA5q0WISDrZS
                                                                                        MD5:42085E45C7B5872D0E034915481A8111
                                                                                        SHA1:291E458BAD0A8EE5E491301224197ED1B4E00899
                                                                                        SHA-256:E8180D00A2F330E6EF33CEFC29896F0F77FF21C1FF23A637A003D97FA9DB62D4
                                                                                        SHA-512:0AFD24F81C375210CC5A379FCFFE82B0A50B709A149AE1FB92E4470BF9F1AAF1500BF128C4F4766071C54AE32E89A15A0FB002D64D715601BD7E010E25E1441D
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):167392
                                                                                        Entropy (8bit):6.553431728074077
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85C6WKZbTKeR3Tzp+8IxR8jYYrjHaVLIPSL1CgNX:k96WK11Rp+8II5SLUgp
                                                                                        MD5:48284F62E79703C80F768CE0ECE7143D
                                                                                        SHA1:70DED4ABEB18FEC56583A1F049F4D39507F983B4
                                                                                        SHA-256:1BFDD1474D84B058F2C6F19216FB31DC42DA4E42FEF61923814B304276CC08F7
                                                                                        SHA-512:A9DD19BA1321A56C4FE3B9CF83E2AFE51D4C915B4F7078EA90F8C3415F64C9F0C3A52DC614AF785045036710D6D819E270B5887F6B198DCDFF9953B8289EAC72
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):670928
                                                                                        Entropy (8bit):6.025784704076014
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:ewbRB+ZRhFfGNpzX5PtiPWRnTLtx5eq4/RnYRoS2Ds+2EYR1XLlShtg7ksyST2Rz:ewbT+ZR3fGrzX5PtiPWRnTLtx5eq4/R9
                                                                                        MD5:7C0014593C4D645EC8F351AB5F1AB01D
                                                                                        SHA1:967B743450942FF50B9E75281B40B215478D85F0
                                                                                        SHA-256:638614E2B6B2A4E1EB168BF56825B004EF1F247C6E8F27D103BD1D05F18BB0E6
                                                                                        SHA-512:E826164FA068FE3709D1D385CBDA3CA3CA5E6A28A50151CFBB214F3C19783D967F67567E40B390E4905655D8340FCC577A63C97293E0110A1E5F3F6651AEB7FC
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):115920
                                                                                        Entropy (8bit):6.223528340566431
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC5w9K75Rp1Ukkz2zct/rzdaBotnMuvWM6TUaE:sr85C5w9K1Fiz2ir+o5vWM6TUaE
                                                                                        MD5:499B11002EBE7BD06FB04458174FF873
                                                                                        SHA1:AF90D819CBB316CC4CD9DB1D1E1876129BF6EABD
                                                                                        SHA-256:D59CFF7BC9B1DE8E82D900CDC3A6E2969A14E454FECF6FD068B51CDF1FD6125A
                                                                                        SHA-512:3392C369F2E777155C76E35D1A9309870C87033FBFF32DBA4CCE3AF8525EC49E397C3655016C34B00BC8A7913E0E73151C2C00A0138C639D15CBDC9A16F0478D
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):137776
                                                                                        Entropy (8bit):6.532718929417626
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCfLS+I1HtQdiHN4zbyezltnzGd1XuDxhkrTJwNZ5wmW1aHbfC:sr85CsMi+zWeXdswvqiHm
                                                                                        MD5:0113D4FE73CAEE2B078E5C5B22E0A55A
                                                                                        SHA1:DF82348BA214A6969E368DD516BE07AACADC3144
                                                                                        SHA-256:1415C64134FA9678BD5CBB27D189C8CC84BEE485E7CD1454FC2180FEABF8864F
                                                                                        SHA-512:B0DE44B4E1B6B33C7479C54F02EF6663CF3C2F88CD736423438B46B4E199B5FD51C3E99239BB8B16D6888C613A8CE43D124CB9DAB8ADB561100792452FEDEEF5
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1206680
                                                                                        Entropy (8bit):4.883403224196095
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:E61ZFViRpx5tuwZl4asd/arEISgX0IkEMhTy:E61jViRTfVINdCr6gX0hEl
                                                                                        MD5:C3E399A5C28495C77505132DA8625D40
                                                                                        SHA1:7F1BC44F6A53E73B222CA0FEC685D4273BD4DFC9
                                                                                        SHA-256:DBA08F8269955771CC3598E1168843F954B0CBCAB7A74BEF8905F56C111F2C55
                                                                                        SHA-512:72C810017137B35B956E26BB0730F1E4EFC0CFDE9BDD5266FCB993CE69635CDA50EB9B3223CCFC2C340D336BAD4F78205D60A7625E37A72A2796C0A5537DEA5C
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):400336
                                                                                        Entropy (8bit):6.662296849527125
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:81rOCPapfd5bhooUBuFiExw/LXa20Dj6EzfJ:ArfIbbhooUBu3wzXa/Dj64
                                                                                        MD5:5087CFC731A5F640730910C5104B27FE
                                                                                        SHA1:3B723898F092788548173BB2DD0C55A85D1D7C92
                                                                                        SHA-256:CACE1F97FC187C817C1FAE597C47782279115799F495462F9BA1EBF1C97001A3
                                                                                        SHA-512:A3FBBB913B2D3827B9191C394D2A0EB76FA71A8C870BAF05BB68A04FFAB76BA0F4500D13B5024FF27E39BA671CEEC9B5BA1715D04BD2961ECE04BC4FE6D8E222
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1662344
                                                                                        Entropy (8bit):4.282519659984365
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CdK2OKsuWoZEsVK2OKsuWoZEckAQckAIDpAPfKrss1yyKrss1yAZDvYbNDz8:k9DztkAzkAZqrEdrEAZUCwFjNNYEzcL
                                                                                        MD5:7A621A47B55EB778A1DC58DA026F13FA
                                                                                        SHA1:179FC259659B020F4495DBDB9349A78EEA8D172B
                                                                                        SHA-256:9591264BFC2E13FB5BC8277DDB0FA59F3CB6F9941BE54B340689CB2D3028BDE2
                                                                                        SHA-512:0964AF4B382A17CE52F817906914D990AD4B2584CCAF7B8887BE7058C4AFE3255741344DE6FC6AD0744717106986E7723F1C9F5CBD7A13A32C552AC70AD25E56
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3531712
                                                                                        Entropy (8bit):3.7844153091218713
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k95gSRJQYKV++VYwjatvsDVpDsehRAKzYM:SQYZTWbDj5
                                                                                        MD5:9144CA1B12B7793E8F18045B281D81C2
                                                                                        SHA1:843A088B9482492885E81B8A5DB7DF5A7A99313F
                                                                                        SHA-256:0C4894C91F6FC680FB1A761CF708032C6E792E806F47ABF0C0AD5B674188CB7B
                                                                                        SHA-512:A609FC1D8A13D6BC46B80E975DC68930D28447852C5F53DE30A471CC989B6CB5C9CBE35A745518B482B283E32A65D6C1E5F41B02B49790E35F91DF1D8D0B3019
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):83880
                                                                                        Entropy (8bit):6.556805464011577
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCEKfEBr3fHT4nAzHGkYJ+ziw6+zb:sr85CEPh3IAzHGEJn
                                                                                        MD5:71B80598872DD0D2851C781764A85A22
                                                                                        SHA1:B6CA4DBD84F0F4E26E641FD8039285AF43AEF337
                                                                                        SHA-256:8295A24E5CFAB75404E37EA3986F43B62512E269934814EC08A10B36BE6C0B85
                                                                                        SHA-512:259C91998EE162BCE784798266D60BB5C97A368E62E42A6791FE2F396399D73496ABEE3699453F4C04CFC968E3421F68981A14CA767BEF2E341FE9E950F97CFE
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):4319112
                                                                                        Entropy (8bit):3.8167825827469506
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9xUh82lTMY/C3uuQyMyquNlBXYJ7M444IB:kkyIgG47B
                                                                                        MD5:A660A24C48B0673B94A8410325C43C5C
                                                                                        SHA1:E601D5482D7386BA4731F659A39447D076A4DDB6
                                                                                        SHA-256:4E5802F6C0D19AE853A12439906714659D4FC2D2C5D72462D905077794E3F3AC
                                                                                        SHA-512:51DDAB96D9703744D4EE204A064767B2783FE2ED82082CF63149FCFCB983BCA444C9A42554F72D67BE026859C1C476FAB700849C5D0D16E204A213F36756A436
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):785448
                                                                                        Entropy (8bit):3.9404929226943075
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9dWSXeSC+hBMdNRneNMToeGYeneqjpGtBlmF:iLevUEcLe9l2
                                                                                        MD5:03818EEB657D70002E0746E88B0AD5E0
                                                                                        SHA1:5B16DC83561232312883A5E49EA8917B1EE45718
                                                                                        SHA-256:00D746A158A3868BEB2F20D8F66789675BB981242A10DA5D1679B83F3F7BAC9C
                                                                                        SHA-512:CD71721A34385D604352492D7A148F6C3AC144FB6B72D225A4F2ACDD4B309B703ED0036B429AEB31FE63B731773AD6A8FE77BFD620BA9537036BDEB90BF8313C
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1081280
                                                                                        Entropy (8bit):3.7785410128751282
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85C4yTUawK12P04ti0o5gmQNJDJnJG20FxPlJPJSS12Zzwww6G:k94s4wqmQN59wtSS2zwmG
                                                                                        MD5:35D2A4B29F56EDDF4C5EE9AA5B79CC61
                                                                                        SHA1:BC00C9FC4FAE06D0EC90A9F15915345E7025F153
                                                                                        SHA-256:BC8A2062F6B156A773EBFA34125DC8673F960DD057C579D2C74181901C6AA644
                                                                                        SHA-512:3CE8168A6EDCBD4A4AB4135EE7BBDF2923A62E4ADECFF19E183B2C54E5903318C5CB956AE28A76F04B63C7A3DD3E464C4AE90AF2D08F1FF5F53F525532B927DB
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1722808
                                                                                        Entropy (8bit):6.4873312334955235
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:Fuoh1EWXRkd+h9y6NsRZ9MtL4kD5G5LVuhqITJemL9SQM3:FuohO2km9PNsRZ9MtL4ktG5LV93
                                                                                        MD5:F8441CD2F8B20FD75340EDDA57BDB891
                                                                                        SHA1:E194B384448281D8821C7F78FA2083616B7D7339
                                                                                        SHA-256:1F73799D4D76692CC95E6083B10990BACBB90BC016AF0D84A3B9DD5C7F03FAE5
                                                                                        SHA-512:B1825AD19B960FAECDD8AF9675F29999363A3858A26E6FE610E03FBB4E84D62FC68BBBFCCAF7CE51C161B1DA011298CC4EEC43E57F35D24701AD249CC6678F81
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):307784
                                                                                        Entropy (8bit):6.544986970069708
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9Q+OpwoajoJ/cLr6eNI0A2kg79zge/ceeE1+v:zDWhS5g72veeU+v
                                                                                        MD5:279AEE74740799844410CC17E9D7DD88
                                                                                        SHA1:B2CD4BDD168C44DD877F12020E236681423F667F
                                                                                        SHA-256:7FD117BC2E9167ACEB2A2E767F868C300645AE6A81F497B307FB8A5D3CF82DDF
                                                                                        SHA-512:0447B166C1F28B9EFB7820349CE7277749B7155E98D7195DBB9509DD0FD0C1793E7A1C9B28C18F8618C1C23F9D7AF46704A313BE9FE4AF01886F9576BBF40EA8
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):97920
                                                                                        Entropy (8bit):6.445251735006175
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCWzKAtCz72I/Q/RPTO5piDDFwzS:sr85CWuFvgy5piDD6zS
                                                                                        MD5:BC9B4C47C903C054F90FFAF5AE807D5A
                                                                                        SHA1:5E293D1A9AD5148B5DF0E4B3294C001A01AD81A4
                                                                                        SHA-256:A26CA014A17928D1EDF1C1560B4B3E53F856C2AEF88C293EE78F6CDAB15FEF91
                                                                                        SHA-512:7AA4B8756668DBCE4C5232EF7334DD7867E9F5107941E0F65BAE3FBCBC510275E69983372F03BF8A939DC4B4008F41470736D720E25969C5D913A5EDA9D40496
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1994448
                                                                                        Entropy (8bit):6.549997020090568
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:3l8U9+tiqfG7C+5I6ZOX0Bh4MdDHc/EBRXXZUABfmcQ:3l8+++7hOXODHc/EdQ
                                                                                        MD5:4BE8C1392D391FEAA6FB26CFA69BDFC9
                                                                                        SHA1:FA3209AD786AB39EF8A4EF173E9C7291A9BCEB18
                                                                                        SHA-256:2F182A705D4FED647B1BEC5729151DDC040EC3778825C212158B070F7BF06975
                                                                                        SHA-512:1D77C2398EDA378C14EF19511C0A490BDCE2437DDF2E28BC9A85E1ED04991DD5FAA178C6C9E6019165C74DF4E8BCCEBDA6973D40067C019911B019AA3BC26677
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):275872
                                                                                        Entropy (8bit):4.23571320386301
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCt6gJJRaCAd1uhNRu7z3zHt4s+zbCtbCc0xXNmi9RHYOqEWpVO/:sr85Ct6gxe7z3OzY+9jTYbE+la
                                                                                        MD5:CB1984EACAD27ABC9F009A4AD963A49A
                                                                                        SHA1:5C6C4EC164A7C41332B605C6D9817030A473BB48
                                                                                        SHA-256:DC15534405AA721E4B8F70A910B991ABB4F4F9A5A823A985110D56BAC974B881
                                                                                        SHA-512:9806C1F7B4436442159BFD3D1D74308850072A343C059C3749BD5FA4DDFEAC9DAB3ED61E5A35A5E1CC717C3CDF2735B93FA1C99D5A27E1ACD276326D17E5ED06
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):751520
                                                                                        Entropy (8bit):6.5238755488474665
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:PccV8BFJ0kz4uP9V6wY2M48aVNfffNfYRweSat8UVNfffNfRtAUUn4lDW7f5sBzl:POFJbl/6r2M48aVNfffNfWVNfffNfDw+
                                                                                        MD5:B3C7E94C586500725E1F446C6A930D91
                                                                                        SHA1:54719B158873B1E2402767498F31256321D856BD
                                                                                        SHA-256:1A5CEC0A13524316A7D6646039EBA275C22F22CA164F30B4F50316220F299441
                                                                                        SHA-512:089FE8377087A4EF69D89B75BE8E3442D5C20930C27E7E7FD24E455C96397FE8B7186E3DFF7F1B1FE71853A0C367EB392B6B59B1DCD726C1BEC7937D2BFE4E07
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):182712
                                                                                        Entropy (8bit):6.326834639732507
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CRDbGpEPwVH+lMCNy0GEVVS1ikLrDdevXqHai8MBEL4:k9RXSSwVgvfkhvzHcWEM
                                                                                        MD5:9103C2F76BDB6251CE480EE775266524
                                                                                        SHA1:0F0C95B1A253D32BB23A99A72F5A77D91387A6B1
                                                                                        SHA-256:D51F101246783235E88373EF28189EE54C97F41E46341BE0AF0D4DC455016E3A
                                                                                        SHA-512:8F9598DF6E31EC58FDEEDF42E9A60C42ECC3A278E546614AA36177995DB61F3E2A3887564A2707AB4669082AE3CB2FAB5765D251F7970572C232BB1650216FCA
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):5174360
                                                                                        Entropy (8bit):7.263311718032684
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:b/xFnOvtaWIDn0apLKkLJU9nU2foKhA4vSWidGHp+NDGQUzbpDOfjxAkrQKl+RPp:NtLK3BDhtvS0Hpe4zbpaAKQkroGIz
                                                                                        MD5:1A968E122913ED79596A9EAA5E7BE7B3
                                                                                        SHA1:96978DB6766A4827206397BA4E8D75A3E3353E7D
                                                                                        SHA-256:C43AD12F1E78AE1817854FB54903030A89A2023E76D3A2CD6C6275B3AB1C21B0
                                                                                        SHA-512:56217DD430159D591109231B2F657484BA7B5BC7DF832668A82A4DB8D6A925183633CA9E68C46E85EF759B617343A13D1CED3D8D91A082A87FFCDBB6E795F54F
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):139712
                                                                                        Entropy (8bit):6.527583416477957
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85C4U5adWAKmzUccnzkVBgEuKjj0WWtPPoI:k9/+EjzCg+j6P3
                                                                                        MD5:EE3F4F49708A511BA220F4C073C8E933
                                                                                        SHA1:727CE23C7427FD900FDBBF06715F9764F4F24848
                                                                                        SHA-256:9A7F835403920D85B948447C007988E1C1271D86F87293AA1D1C9DCE4EAD3DDA
                                                                                        SHA-512:8BE2A84BA4F7845369ED052DC4E71CEED8E3B9C075D66BBF7FD1E1A5935CB50EA08F63AEC2B2EA8CA35DEB001F71EF2AF71C2E185D37A75FDEEB2050C79D7F74
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):380368
                                                                                        Entropy (8bit):6.677799145653771
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9XzgSb/029S2P/7nzGxFrRN0r0ivCZci1FXiO8DaS4wwE0CBlFJmcx:bw/2q/roN7ivCZci1FC74wdBlFYU
                                                                                        MD5:3B22BCCC611D93FD2228E3098C8909A2
                                                                                        SHA1:46C93B6587FDD25B710E6C0D0ABC426132DEBAA0
                                                                                        SHA-256:FC06A5FADD20D729E99EBF82D696F982352147C7A96C7D55D5FF1F7CF1DA9575
                                                                                        SHA-512:D98A167BC857DF9B7DD4FF2150AF495DAE0290A033C868E3AE00BB01CA7C68EC5D37C75D18BF88B87564CF9E38252360F0914E90AFB64A34929A579C691CB9DE
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1269696
                                                                                        Entropy (8bit):3.750731544998065
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9Rvk8/0NhFYAddenZhUhTNnLUrh+9nTGLljX4wuSzVF:y4wXF
                                                                                        MD5:9344D6088F4232059CC71D89680C627A
                                                                                        SHA1:B6D50543A01F017F333CB69897FFD6B39DD0430E
                                                                                        SHA-256:4C9373C646419B656C368FACB9BF903A3BE6C167B7B20DC6BB0D710AEC498FBA
                                                                                        SHA-512:5B4229DFA9B17BB50F8A3AC1BDFF09395A5B1C0A25CD7B1953297CEEDE312C6DA34295DE61A62DEE6BEDAC1D130F745DC6704E77C8366D954ED72A0914B27CA4
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):266648
                                                                                        Entropy (8bit):4.190895884532524
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCgRaCAd1uhNRuiazvhzpwtWhz7I3EWwwrwYx6RPWdn6ysl4DU1:sr85CiezzvhF1h3wEWwwbx6ksl4D
                                                                                        MD5:CB076D561CC084FC380019159755CBFE
                                                                                        SHA1:911BB4A2E39DDE9197ECC4678367212B1AA253FF
                                                                                        SHA-256:F9042977D236AF4627461B5F538823FDAD2ADDEF84EF202E0B75ED409D48E3C2
                                                                                        SHA-512:68736CFD5E6488DFB24D65173726EB819DA40AEC1FF7EC6CF4F39A15CFD3AEEAC1672364AE50BE5A417A10A6C50E4546F1947BF323C3FB184802F903455434D6
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):715760
                                                                                        Entropy (8bit):6.523751448498997
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:Y4tuuLntIMDXw5vde5EFf1Pmbd3lSz3dfp1Swf5M0blmFKuJOJZM30j3:3tFDKMg4iX3djfy0blmFlme303
                                                                                        MD5:0E537E151DF5C171C213A1F44DC5F0BE
                                                                                        SHA1:E8EE7F0D91D69DE3FFDB1E91E1DDB404813B39C1
                                                                                        SHA-256:CF49D45B6A84D77F5E9A722FE7182CEF9325A355D885BEEB4D1DF3D88C1CE212
                                                                                        SHA-512:4968DF9F4DEA49214638C86D73A03EBF4BB93E3242022B933B20E47B22AE65F77F57667B701A32A2779D63667CFE718ECB67B55E317402B140210757439FA4A3
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):619944
                                                                                        Entropy (8bit):6.639567335107148
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:ZM/Of/Bboj+clWnIKgrP6TFPLNWuX4Pemn3oi8ky9Q8WSe/aSqizuO1qukdQAPnQ:i8JgryFPLNWuX40RulAPn1OcnGVNfffl
                                                                                        MD5:7B39C44B384E1A5940D5A5E30C8D3E91
                                                                                        SHA1:26B7AA2EFF58E1D4124AC8C70766A15470FF8BE0
                                                                                        SHA-256:EE9FA9DF2D9125438C869924D9ADF3FB141F0D4C4F05C84D1833669E15FAED31
                                                                                        SHA-512:2E8D640CE261BCFDA809A0E896662C3AA5F5792AED0938C75D0EC4B5CB20BCF6895876E44228AD7B448D908EA4544EEA88F7F4B8D379B43B8BE53F849A948054
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):150416
                                                                                        Entropy (8bit):6.5018296889200915
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CCQPtLW7twRxI5mc5TNN3AsdVgNwihwT3RqEM6ZOfHXb42:k9CQMzhdV0nh4Hof7
                                                                                        MD5:3FE6C68EDBC948A6D2775DD2EA56088C
                                                                                        SHA1:2C03FCE97D064B53F98EE100E5627418514BBBF7
                                                                                        SHA-256:5681B2A8F44A21E3E1D63B8A99100A453F90EE1E3773240923164922F481B633
                                                                                        SHA-512:2BFAECFF86EEA49F3B79215CAAFE401FCB65D74B4A0757AA79E439A7AD90C52E1E43285B438368676D5A08E20B37C349AFFD362F7CDFE7205CFF63E445345819
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):264576
                                                                                        Entropy (8bit):6.643046809005812
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9y872jsLuLnPo2TTHswP2TGz3FUCHySYI:b+2jsLuT3MfTGW5I
                                                                                        MD5:F85301DABBF0103EF7202407D2DA6489
                                                                                        SHA1:6BE78DB8650184DF98A1B968177E75BB782063BF
                                                                                        SHA-256:8098FAFAF941BD5678FB8B72F560E1AE06EE593C2432163A56FBC60D8FA43495
                                                                                        SHA-512:E5656464BC5030232CA6E0EC58BFB5F2116C6E464CEB1CABDAC941826876ABF3F108B18FF5785779C7B75D153E01857CF37B49D88E2180CE515B02E344583863
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):108448
                                                                                        Entropy (8bit):6.051786357762204
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCMweqz1lezmtJwzojsKyyJFGgHZ//rHzb:sr85CwqzXe0wSyyJFD//Hb
                                                                                        MD5:C4E2228168447160D7F54331ACE1BAAA
                                                                                        SHA1:7878BAE3585B8F37E389DEF0A2830D0C72121CF3
                                                                                        SHA-256:99173D535320C612AE308D5AD58FDA6F6B8EE5AD261F1E038421D2FC53767AA2
                                                                                        SHA-512:ACB3DCA4F6AA6DCA468BA4A42BFA3003F7A4BB0AB18A2C2F99A493C5765FAB5067FB3865C0C02AD6960439AEE89FB2C166BCC90B6A77FC9CE21DC8C1F4B0037A
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):662600
                                                                                        Entropy (8bit):6.001086966772804
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:Vpo/FEVciSJJtH4PoR6moWEBfQLxZPhEx7xgtV2hv4tkYUK2tlIqR7lmNK/IKrtK:QFEWi4JtH4PoRfoFIxZPk0NKbB0R
                                                                                        MD5:A21FA1DB62F89FAA23E737BD8B609F8C
                                                                                        SHA1:62E374C2F71DCD922D6058D735C944A66076FBAD
                                                                                        SHA-256:AC414AF78ED3914B1E6EB7E4598F400CA7631BC3AA4C8088B0DF5617AD04967D
                                                                                        SHA-512:7485D968298DC04AF7A2297DF77C83EE5A25BEB0AC14932445063EF075FB2CA565AA67E5CE0E4376BFEA7DD31B1B53E66A061E8B8C535887BCA998086132DF94
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):260560
                                                                                        Entropy (8bit):5.4470915703839395
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CH4ZAh7ULoQdHBjw8Q2pFj4+W1ISYpksZmRohnonRBfTjzJEthEWV:k9HPfQdhMuj4VM8imPjGthEWV
                                                                                        MD5:034F80923F37E7A9899DEA48FBADE531
                                                                                        SHA1:40E144C96F7DBB162F02833B01A7F416D65D4403
                                                                                        SHA-256:521D052B5B7EBEA5EFF613B52FF7ED2659B4D2A521D6A19A6A146C3CE35118B3
                                                                                        SHA-512:2275624F5C92C4B4C606D5CEEBF69F072CC1B7ABA2DAFE8AA7FB672F3B81A8BEDD339EDFFB41192C51CB0F48CB9EE76E090D7A43DE9ADA19D0B8BF2D099C7059
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):4316200
                                                                                        Entropy (8bit):3.920672560845374
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:/YN3nsBQ5ghvEyqf/whWovz9hRJ5RbisrbdsPO9jXsw:QN3nsBcghvEyqf/whxz9hRJ5Rbisrbdr
                                                                                        MD5:47939C01C26C95ADA390474944E9F9A6
                                                                                        SHA1:9CFD7A3DEF7081BB3C54584E2515C30C7C04AD76
                                                                                        SHA-256:9B0869B5057FF84777E81C2D0E0A1E97AB5ABDDD7D80C8D4C94B1C83A53485FC
                                                                                        SHA-512:0F342D003CAC4046AD71858225DACF6A42AADBB4F28F0F022C1F6C5D37D37355341B9F6DF8941AC310324CF853AA141195BFFFC4A1C9935558FDBE387BC25E26
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):124056
                                                                                        Entropy (8bit):5.727061682781764
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCMwu7mzj9zNtP9zNps8Q:sr85CMLmzj9P95psb
                                                                                        MD5:9A2455DBF03A4E060F7BCCA43DD3D64E
                                                                                        SHA1:D4FEB7DEF1FEB03CB7E86EB57D43BD69E8596EAE
                                                                                        SHA-256:0102394DCA78E8B630B3C9613E0C9C620944218FDA84E1E129415E6F972495C3
                                                                                        SHA-512:DEE619AC553F0DE06058BD118164D4A8E4B93A7F20D4B098E5D5AF9338CBD12F5CE94F054B92FDF435BE87596FD154904968FA96970887993418A3B41EAEAFD5
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):358336
                                                                                        Entropy (8bit):4.514937306069578
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9eyUkKOEEIK128d2VKjw0EYsfZJnPmTuJjac2a51lHpLszc/kzY56Y:5x/B/kib
                                                                                        MD5:C3A4840C5D7823C978C55DA5DA54DF16
                                                                                        SHA1:BF3045BA5D19667D7B3CF1E9CDF52C7CD7CF1101
                                                                                        SHA-256:9EC2D985D3ABDCD53FEAFD25DCA72990C37718FBAA59BC4879B941561870B369
                                                                                        SHA-512:4E76AFB30D33518576E53057C04B8321BF3F209EAB57389C548D3C67DDF968831DAFC74264DD573D9331D74CBB31FE2B09F6149E7786A4CEFC6ABFFAB42F7084
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):763032
                                                                                        Entropy (8bit):4.116647791553155
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CSwRnjnzhCiXXXXXX1AzZwAazTwdOLxN1IHO:k9SwRnj7XXXXXXSzuz8OZ
                                                                                        MD5:5F6E2215C14D1B014007317077502103
                                                                                        SHA1:B60E82B3994D4612280E92F8A904EFE995209D61
                                                                                        SHA-256:0F15CBFD62C0BEE02B273A9205A780C7440B70E99391E8155D05930DAAE487E5
                                                                                        SHA-512:5E77C8AD2B79A4C5F153B90316CB22D1C09E5E5B5F7DD888EF931B1C2CAAE396B1D09A3874A173ABACF19705979C54FFEB77411E580F91258CF1D9A5B3F8D6AF
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):895120
                                                                                        Entropy (8bit):2.966305885964938
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85C+fCEq7tOxIfMFzCEpAm/4rx7z1arf+9:k97z8w
                                                                                        MD5:379B19683AE0BA12E72D1E6CA8CB1612
                                                                                        SHA1:4B48C8899121137D5637838E9610608245975078
                                                                                        SHA-256:3C6082AC7C3AB5EF4F0A7DF17497760B96C77BDDCC8A753881006E74C39044E6
                                                                                        SHA-512:CC8F80347BA3E0BF5EB5E4B90E28FFE23FF1F5B18FA1E0AE9DAEB27CBAC51E52053C9173332C2688FFCAAF2CC84EBBBAD31386F6F6BF7DFE2668EFB7D1F2E9E8
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1082008
                                                                                        Entropy (8bit):3.7745537489281356
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
                                                                                        MD5:3257CDD51A6A354CEE4BA01A54D63EAE
                                                                                        SHA1:5C1A13555616FC7AD988E3A5A847D9173FB70513
                                                                                        SHA-256:80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
                                                                                        SHA-512:CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):105440
                                                                                        Entropy (8bit):6.087841458302814
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJrrZ1jL9zxwKeL9zgt5tjTh7D9:JxqjQ+P04wsmJCIjhzxwKehzgt5t1D
                                                                                        MD5:22753C1C6A88FFB01068FF391B0C3926
                                                                                        SHA1:FBC83E06E31A9EE5A827D90481BEFC36EBF085F7
                                                                                        SHA-256:E727CB8EF6D54A511C18E4FC92AA94841AAFDC284942398D35D1B091CB97D8B1
                                                                                        SHA-512:CAB6DB0DD9EA2260979130415158FFAA22B6DA8E281138D2CB1F569F09384A3E5A5C3935B8B8DC76935F82D9CEA7172904A35ED23678CDD670152E065F20D64D
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):537536
                                                                                        Entropy (8bit):4.968722692341351
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85C9PMMRMMMmMMMvMMMwMMMNMMMWMMM3MMsewVOOMzMMvMMOMMMJMM2MMQM6ku:k9EwVR6V7byjUWAZyVVdz8eEdGo
                                                                                        MD5:A72A576B968347739046BEEF59A3B97A
                                                                                        SHA1:545247805365655FF64D1A70F672A43D2B4E682E
                                                                                        SHA-256:A1313CE60D736ADFE281422421401E327979DDD34945A4194C66E9235DAA884C
                                                                                        SHA-512:9850A6A6B5310C2437964C199FBDD860CA202A7C78766A0F710B29FEED4541CF09307B9AEB74BD7455CDD7A1D7B990C78285B7A79C699B9BF65FC4426649927E
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1271952
                                                                                        Entropy (8bit):4.084096712356835
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85C93ppPpNpDpspp/pCp0pmppdpspppRppMpLp0ppppbpQp2pphpSpXpQppapG:k9eKQSNdhnSzv
                                                                                        MD5:892E75C95404B2DD9A4753F53B530F5E
                                                                                        SHA1:6B9A7C5827A767520B61E3192BC3951466CACB35
                                                                                        SHA-256:8EE17679C7E631E0A80CE70778CB3A7BBD044E5C57BDC65526973B421EED3AFA
                                                                                        SHA-512:E7509867E5D3AE99368882A008921086A38F8B890058DCE61EF4C95CE20B7F9B5B1E88F4F038BC792F70888349B27E978F559DE287D7E89C979777086FA1D286
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):4099760
                                                                                        Entropy (8bit):3.7180860871313963
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:uBKs7fvZIFpCYVIVN2mGsb8HtVLaHw3j4cLbUBRjLFP29DyZbT9gb/m06aCzE6h9:uBKszX0FjOeblHiled/k
                                                                                        MD5:C192144B8943B415548AF24878815096
                                                                                        SHA1:4DADFF2BCB636AE059DFD73067DC938EEF5CC725
                                                                                        SHA-256:45AF4FF535E765EB6973B13C76A80D6A9F4FA4D0B3660FB5D5831718DAC21C38
                                                                                        SHA-512:C50A756D3288E1F779E118892C21C3908503D6D10FB8DDFAAB4F34C5D13A71DCE97933B6977B3AB83E344B0741305532BBBB5C9AF1B6B7F6CB1E1526F51330FA
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1273488
                                                                                        Entropy (8bit):4.319301892791611
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC4qYvbZthqyEATS583ONoTqzaezuC8zFtxzzqO9uF:sr85Cf6bZt+ATS583ONo4aezJ8ZfqiA
                                                                                        MD5:025B19077CDB23D9DC885FEBF629CDC5
                                                                                        SHA1:B7930EDF5AF2089834CFA6DC190AF5EDAE20831D
                                                                                        SHA-256:78CFA64C50350F824AA2C627FB54D8F06E444810669198074A06CC5AE743D62F
                                                                                        SHA-512:C1134FFEE3CE07CB19BD9AFED8986C98588A27EFDB6E8BE72B1571FFF7B18F4014BACE244074FE2846921EDBEAB308058FE93DFE7E17CCB46C225035E4513F68
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):124056
                                                                                        Entropy (8bit):5.727061682781764
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCMwu7mzj9zNtP9zNps8Q:sr85CMLmzj9P95psb
                                                                                        MD5:9A2455DBF03A4E060F7BCCA43DD3D64E
                                                                                        SHA1:D4FEB7DEF1FEB03CB7E86EB57D43BD69E8596EAE
                                                                                        SHA-256:0102394DCA78E8B630B3C9613E0C9C620944218FDA84E1E129415E6F972495C3
                                                                                        SHA-512:DEE619AC553F0DE06058BD118164D4A8E4B93A7F20D4B098E5D5AF9338CBD12F5CE94F054B92FDF435BE87596FD154904968FA96970887993418A3B41EAEAFD5
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):2970664
                                                                                        Entropy (8bit):3.8530507327775085
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85C4Nd0qVmvzC1SvXKo3NzbsZ6DdIAZcbEcofUnpfRII8Lp9qgN3WJp0Rf5NGu:k9I/V/CfDhNG5sMXjjzmEPoL
                                                                                        MD5:AB3E9B8C0565CB076490949DF074D582
                                                                                        SHA1:F5BEC2D8CCF13A10D82C27B9A14289A009DDDDEB
                                                                                        SHA-256:1C4DA1D108B71EE639AB846128E5F08D6E5EFA4D5BE02C2862597BD4BDD96DE7
                                                                                        SHA-512:532493C141AC8E3B5FFD99E0F13AE8A26E4838AFE7B282A02C62B1BD2B7083DD04EE1E39B8A2BFC559DBB7B8CFB6D64D146BB20593A0FAC64E41DB5D81EE7287
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3531712
                                                                                        Entropy (8bit):3.78009314420001
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9msSR7PYKzz38YwZItvsDu7DbDhRAUzHW:ZPYmLWSDBy
                                                                                        MD5:3AF0E40A55AEE11DC01E0F1943041494
                                                                                        SHA1:ED8F0489550B78892E6FDF80784CF5D672AB3F2A
                                                                                        SHA-256:8A8212E9F7615A590E3BD2AF07E650FEA60CAC875388F57F7AD1CBADD65A11E9
                                                                                        SHA-512:54741EB3ACEADE514E1E305A9D4937C59266DFC20F108F9A87C56EF283519A8CC6DAAE1953706A20860F390520C48C0BB5A4482C751E335B45A0E5858967D765
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):4319272
                                                                                        Entropy (8bit):3.8126753798312922
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9GmRfvlTZY/C3ul0ywb/uXMo+YJ7M41zXLWIB:z+6M+595B
                                                                                        MD5:A914483FA2C2F86E415633657D33D59D
                                                                                        SHA1:E687C9ADB19340050BB434F1A309290C72D0DBD1
                                                                                        SHA-256:42B15769C1B7B74FFD9022A9E377783EE59F1F75688E1345D1A09DBADBD3102C
                                                                                        SHA-512:1784002A4E99F5DC77C4DEE11FB25E413A2840F4FBA5C001F40BADE7A8DBD172B363BF6EBF66883FA2A3FC0B03E3ACDD5FC485EF7DD3DA4493CDF93D8C2EA4DE
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1082008
                                                                                        Entropy (8bit):3.7745537489281356
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
                                                                                        MD5:3257CDD51A6A354CEE4BA01A54D63EAE
                                                                                        SHA1:5C1A13555616FC7AD988E3A5A847D9173FB70513
                                                                                        SHA-256:80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
                                                                                        SHA-512:CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1082008
                                                                                        Entropy (8bit):3.7745537489281356
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
                                                                                        MD5:3257CDD51A6A354CEE4BA01A54D63EAE
                                                                                        SHA1:5C1A13555616FC7AD988E3A5A847D9173FB70513
                                                                                        SHA-256:80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
                                                                                        SHA-512:CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1082008
                                                                                        Entropy (8bit):3.7745537489281356
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
                                                                                        MD5:3257CDD51A6A354CEE4BA01A54D63EAE
                                                                                        SHA1:5C1A13555616FC7AD988E3A5A847D9173FB70513
                                                                                        SHA-256:80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
                                                                                        SHA-512:CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1082008
                                                                                        Entropy (8bit):3.7745537489281356
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
                                                                                        MD5:3257CDD51A6A354CEE4BA01A54D63EAE
                                                                                        SHA1:5C1A13555616FC7AD988E3A5A847D9173FB70513
                                                                                        SHA-256:80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
                                                                                        SHA-512:CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):582184
                                                                                        Entropy (8bit):6.400758373600043
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9KLWET8DS698nGX2OduCwUJWh/JmmS3DAjqnkrzFoEh+vMKC239YUFgBdQ/:DLxT8DhyiLduCe/lSpn6zOvYUFg4/
                                                                                        MD5:C0386A35F92FB82637471B03FCA1F0CA
                                                                                        SHA1:08E07F04682C582336D3531610A20DCD38CD43B9
                                                                                        SHA-256:77AD987963ACDD9D867BDD33F3778088B9AC461334BC4A1E49A4982D325E702F
                                                                                        SHA-512:E6449FB51F16A1674365D4CE644DC0148199524E9D9DACDE0FB17B26C0C4652C924BB6CAF284AF125958632B9BCB111069EB6FC9EE1A26D83B15F67EE8DA365B
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3837992
                                                                                        Entropy (8bit):6.4449937551945595
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:tB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8l8EK:5HzorVmr2FkRpdJYolA
                                                                                        MD5:D7932DE11B8AD54A41413381EAC41AC2
                                                                                        SHA1:8B383BA02414803CFD515A8384434AD5CBB70231
                                                                                        SHA-256:DC1F4FD1F3F718C6965F038472EDD640437CBE0BD2B77E21945073AF404CB90B
                                                                                        SHA-512:48C561E17BD75181D3ADEDB41F1172BB95163E3DC5792DA212C218F80878D45D3C49BEEFE44E76BCECA77EC644A83A16C59316CC2178A976D91347D389B3741D
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):161832
                                                                                        Entropy (8bit):6.154443017106145
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CX2VSd2ga8KActASiZAkXS1xU5M3XgcoT0cs4qIm6Y6:k9mVSktVjv3Xg5T0FIY6
                                                                                        MD5:6A0721A64003242C799CF2DD85B0713D
                                                                                        SHA1:AC7451D1A042B9980D506B43237C5C8A3D218989
                                                                                        SHA-256:88EB264B7A72C62D8FC399469E7E573BEE906C8939513F3A869656E5B667BBBD
                                                                                        SHA-512:B3F3E9DB4126A6479E6CB455FE8BCE1F8BB108270C2BA9C422E17932E901A65CDFED66DAF2A11C082BC924EC9EA51484418F4F09990848B91912BD3E1EB63AD7
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1827880
                                                                                        Entropy (8bit):6.540770888228441
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:bhDdVrQwm5ztlU0A7fMAHmpmZ3QXE/0/lVaLpmasGvP0:bhDdVrQ95RW0Y9HyWQXE/09Val0GE
                                                                                        MD5:624A5B15DE2385F6CA42DDCE0E24D109
                                                                                        SHA1:13FE13198A9BFA24774EEA44759471B31EA439E7
                                                                                        SHA-256:A7DF6A45B54B30014DB94309F3BBA50A1EA8EFB8EAD01682BAA6826E533418C5
                                                                                        SHA-512:CE244B2DAF739BFDC491C28129CA6504966CAEFEA0BBE16871522089A825133F2C1609D51266058A62D767F3624C514421F09D50DAC5A11CE26B5C8B804A641A
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1297448
                                                                                        Entropy (8bit):6.514786717345656
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:bdoA0Eh2XptoQZRuefMYR6RrAJU9CsxmMocSipEylqFfouDMA+nkSddSDBDIq:b70E0ZCQZMip6Rrt9RoctGfmdd0
                                                                                        MD5:C9FE3D4AA1438A059AAE69A5D8FA4269
                                                                                        SHA1:288D3F38B4A6797E15187C00A24D0AAD1B5BAF60
                                                                                        SHA-256:913E86233F11A6A269DA1A324D43C9FF737A9AE0DE1D9DE59D0AD961137B9F2A
                                                                                        SHA-512:0775ECDC44DB15BD92B103F75410BCB4079D7165C6FACB7CD0DBA091DB94E4A6648A85563FE24E33D862E16CBA73993461533D4CE196078FAF6AA9030D39C288
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):4251688
                                                                                        Entropy (8bit):6.5065813007912885
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:vpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BT:EehFLvTQDpB5oSOmlBl
                                                                                        MD5:23A855DD7FA34F616F73B392E464E216
                                                                                        SHA1:EFD849CB22D1D33B16D6FECD54C318B0A6E222EA
                                                                                        SHA-256:E198D71BC75B0E61DD2F61080062B4E41ACDFC7F7FF148CB11839DE3E0523A27
                                                                                        SHA-512:8B4AF629B2022F10FF2D3FD4D4C73F9B23CE085B08B70FB29044D03F0FBC498BADF4D62854378FB0A0E6A2DBE2848D0B83550C3F6C3C08CF05C50C81B04B6A5C
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1319976
                                                                                        Entropy (8bit):6.504627467158373
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:gyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:giD2VmA1YXQHwlklb8boUuWPg2gX
                                                                                        MD5:ADDCC10DC80D3B994800C6B44EC0B5E6
                                                                                        SHA1:C52E9B1C03747A2B4F350E6CC288851DE64AC113
                                                                                        SHA-256:03B114F2F97AD84613CAA8E5F964D4C8BDA56DAC8EA9C680A1DFBC43449EA14F
                                                                                        SHA-512:74E250EA454D878ABF1F9CA3E7AEC66600A5FC785555FDF708E22103D51E939072A0B28FA7AAFD847D370DC03781F723B216117361389A3F87F3F93874D26AA1
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):2327080
                                                                                        Entropy (8bit):6.531478857250512
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:+fD3zcv9ZhsSGSQoryOzozU63IqRNhB0kDKPHkkkkkkkBoIeAz:+fD3zO9ZhBGlopzM3HRNr00z
                                                                                        MD5:DB94AD04A7559F74A92620CB04373946
                                                                                        SHA1:826B3FCF77456D83544CC451561FC9DE5978DAEF
                                                                                        SHA-256:8FC9FD66947D8CB6D1BA902B3174924A872176273E4B9545CC05F2486A0AED73
                                                                                        SHA-512:E5705F611A87C57C2172055A947CE5BBA675605319525FC2678D317625826A9893D1149911640796BAF0305A94FC76BDB79C8F31D7782CF113A8904B3AD41100
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3790800
                                                                                        Entropy (8bit):6.537921104997593
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:OTaRe7mkn5KLvD5qGVC008Jpb4tgLUgGEsLABD5wTQh07yrLMLl9YPhe:hI72LvkrCpbxJRoIMx
                                                                                        MD5:5750A055DF2980C145707A60B2CDE7EF
                                                                                        SHA1:26774B8B7BA30DB32A6AF0A6C7FCCCE981823474
                                                                                        SHA-256:A954923EC03888AD38B22F135037F62F520988C5A5A87676882A2B972CEB54EA
                                                                                        SHA-512:229FD22736C66BA9D5836F2D2A747D4B761184BA134C818D91B443E255CDDA32CAFA4419CD19AD49915CE20206D865F4B7F9E0B388C20298857B5BCA5CC4217B
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1535528
                                                                                        Entropy (8bit):6.517840298614509
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:q406WoyJHeFOqDRA7uKk+TjnkgiMnQq+UI7MBImQWkv7yfOYIXbwohMA+nkXZnHC:rW9Jml9mmijZiMnF+ZxmQWcbLw8Vi
                                                                                        MD5:366FA8E2786C71AA81D106EF9FA15233
                                                                                        SHA1:B626BA440B5EB37132849B697AF040A7E462E0B9
                                                                                        SHA-256:1B87E233A5CAEA65CD8D8EBC91AB48A42F18FC9991041599C202EA85995EF24E
                                                                                        SHA-512:D596450A8A03F6894982DAC3861C4E34339521F70DEB5073343F19565DA47A168025DFA3C1B7178677C9116A22F6A499D1277F28D1E6B829743D949D9592A848
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1273384
                                                                                        Entropy (8bit):6.516053672496002
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:C5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:CwNHwoYhua6MtERO4qbBJTY6mY1uIgp
                                                                                        MD5:64A7111DE17E26E2B89E10AE82FED662
                                                                                        SHA1:911E048F0336C9BBA3DA35E48BEDBBF04B4035A9
                                                                                        SHA-256:3C470FD7B87FCEC230016076A57F77324766326295D90138E4A780EFF0DD36B9
                                                                                        SHA-512:65A8D9276DD61A9666323D4A73950D854422B43BFD4D43F83AEB1895DD3338869216A53930B10B753347B6C8DD6338FCEEB3336E41730DCE74CCC01FA7616C5B
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):582184
                                                                                        Entropy (8bit):6.400936059459134
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9KLWET8DS698nGX2OduCwUJWh/JmmS3DAjqnkrzFoEB+vMKC239YcWegBdQ/:DLxT8DhyiLduCe/lSpn6zO3YcWeg4/
                                                                                        MD5:A7CDA373FCA11D6EEB029FD727F6DDD0
                                                                                        SHA1:1276A053735941055356FB1F80E1AA7B86191130
                                                                                        SHA-256:FB3B99A2E3DCC779262766AF821F1FFBF97381285C647EA0CB4D3C848E864EDD
                                                                                        SHA-512:6292B1ED042D35BF41C7122CE0729A10CB539675BB23902BB899BC48E4677B970A21C052B336DCF61346243BC2B8783FA9D645090F876DD95A4AF44FB9167D71
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3837992
                                                                                        Entropy (8bit):6.445010152117068
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:tB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8nsct:5HzorVmr2FkRpdJYonf
                                                                                        MD5:638DD04FDB80F09131230BAA866C7F33
                                                                                        SHA1:E4970BC6E400A41FE00CCD7C2EEFB663A06A1521
                                                                                        SHA-256:DEC3FCCAF14C63D3F76E843C4973D0C42AB43500BC0C4E244661FA33A32FFA8C
                                                                                        SHA-512:B29CD904E9C3176C28BF5316F4C88B1ECB582310CD61C87F934F42B00453D809B6BB4B9C81DE262C55BDE391D673A71E2B16AF7ED7205B656971792B0AE487AD
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):161832
                                                                                        Entropy (8bit):6.15462571311845
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CX2VSd2ga8LActASiZAk6BKuBeU5M3XgcoT0cs4qIm6Y6:k9mVSFtVLA3Xg5T0FIY6
                                                                                        MD5:AEC97F14CB32E4473CCFCEEE3414630E
                                                                                        SHA1:FBE10ED6B17ECBB49B5749ECC13D4F82FFCC2105
                                                                                        SHA-256:0A831E125B2A928C8A77A4D235AB7F78E7F68396E675A6C7EE83678952CCFF73
                                                                                        SHA-512:DE05E6DA8E59EC0AA381030A9FAF9A9E07BA7AA647DE9D3C64C116646D388B1BE20A884DF6709ED64AFB59D4CA7AB1D40AD1964C62FF164FFBEB7893F61C69C8
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1827880
                                                                                        Entropy (8bit):6.5407573599295254
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:bhDdVrQwm5ztlU0A7fMAHmpmZ3QXE/0/lVaLpmaSGv3I:bhDdVrQ95RW0Y9HyWQXE/09ValqGg
                                                                                        MD5:0A2DF5817ECFB6C13DD006396EC483FF
                                                                                        SHA1:5A680A5626E4A8A72B7C4F60D75236E7714B6A6D
                                                                                        SHA-256:CE97125CBEEADED7382FAB1E4EA4F44BD14CD4125D0872032FF0D70A40B807E8
                                                                                        SHA-512:73342DB5F0DE436039A24A7BD75ECEAC071B46AC816534F7465278CD47D62A3FB38E8AEADA78C9727F8434C92A96DDE81EC9711A6BD90020FEBA39BE705C07CB
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1297448
                                                                                        Entropy (8bit):6.514829630269744
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:bdoA0Eh2XptoQZRuefMYR6RrAJU9CsxmMocSipEylqFfousMA+nkzddSDCDIq:b70E0ZCQZMip6Rrt9RoctGf4dd7
                                                                                        MD5:2C299EBC50A9C606FB56C150D272AB6E
                                                                                        SHA1:2A3171FDD0043622013E1AAA856411285DD1E0A9
                                                                                        SHA-256:CB02DD09C8F959D4F87C3DA73431E72BC1179F630926592DFFDB6B01DE676130
                                                                                        SHA-512:C6ABE668C5E6486F7FAB0EAA6CAE5E616829D57FE05EBCBA1155BC98602D94031B1C2544DBFC1DAAB87971F45D6BF7A0636DAA54C5797C0B6995DA034C6D1A4B
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):4251688
                                                                                        Entropy (8bit):6.506601585747478
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:vpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9k3hO2y/BG:EehFLvTQDpB5oSOmlWs
                                                                                        MD5:2D1AFD81B69BDB71E8752FBA29DBEFF7
                                                                                        SHA1:5ACE2DF88FD36BA3B059E9DD843E56FDDDBC43E3
                                                                                        SHA-256:913C4E2D675E4141241D736F7EE4579768AA92BAEED7AFF2599665810EA07A93
                                                                                        SHA-512:5CFC7635760A2DC46F377BD577BEB10762EEB02959F869360F690471E6C2CA925F00CC22FAE8330380F656E15091081138582352F2A2FFE6CCD5DD6433030458
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1319888
                                                                                        Entropy (8bit):6.504468342684673
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:gyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVKMA+nkDhF242oz5:giD2VmA1YXQHwlklb8boUuWPN24Z
                                                                                        MD5:2A860E6C0769147E3B8D3334220CB3CF
                                                                                        SHA1:132FD725E8DB41D80BF8F80AC88ED711A69985B7
                                                                                        SHA-256:179F9F3EED6CA07120C5F0C23B27CD78E4FBF47ACBE5F94A6F5D3474EA97B6DD
                                                                                        SHA-512:2F6E05C35939BB827B0C55335BF34252539BBA694CB39A282DC698C47C3FFEC095984C0341C991F7C1C7DA4667F8678D4BECEF1CF4F387D8C79749E7536EF89C
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):2327080
                                                                                        Entropy (8bit):6.531427859835536
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:+fD3zcv9ZhsSGSQoryOzozU63IqRNhB0kDKPzkkkkkkk+oIeA+:+fD3zO9ZhBGlopzM3HRNr0T+
                                                                                        MD5:F345610CFA0F124DB4EACE9B5E5DA7FC
                                                                                        SHA1:7ED5AAF590BA295CB47A9B7578C9B4E503B99724
                                                                                        SHA-256:5614DE715D8D354214710B6A2FCDD7D800DDC5929316494AC5F6A891752D6E7F
                                                                                        SHA-512:BD96F81193F3D66E220AAF7FF07EF533A01E6F2446E43EC11C30D0A839BF447CDAC70E3E3E1979055F2C2C376633B2548FBF495BCCE8D0A57CDA0EA92F12CAF3
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedgewebview2.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3790784
                                                                                        Entropy (8bit):6.53787335939445
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:OTaRe7mkn5KLvD5qGVC008Jpb4tgLUgGEsLABD5wTQh07yrLMLl952hS:hI72LvkrCpbxJRoIMP
                                                                                        MD5:6D59D0101B966959D2CA6D9DE5CD18FF
                                                                                        SHA1:82F49FD714143AF53BBEF485CC8FAE0B61DF33B7
                                                                                        SHA-256:89E9B10249006F9D1E3C1545364C05D958202612D32D5AF1E3B5FD3FCA2A19B5
                                                                                        SHA-512:010405526F02EA57CD4DBF57DEE3FD65496CE78B8F61E0676D4B81A8C721D09FCA3F19FA4AC76223AA673A54164BF4D97F202D7A18EB24949AD2012982696979
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1535544
                                                                                        Entropy (8bit):6.517950188129204
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:q406WoyJHeFOqDRA7uKk+TjnkgiMnQq+UI7MBImQWkv7yfOYIXbwomMA+nkVZnHt:rW9Jml9mmijZiMnF+ZxmQWcbLwlVN
                                                                                        MD5:E8CC4E4F901E983E0BD3F5AFB0E0B317
                                                                                        SHA1:EECA8C668CC4A272D3930F5E157D8EC559986EEF
                                                                                        SHA-256:ADBEB820AD1248B1BF317E66D3CD47F0581333ACAFF9FB71208BB98D10F0F70C
                                                                                        SHA-512:AE719A867885D5B534F4F373096BDA4EA67F2BB1B153D8D900116C4DD3CA31427E0FA01792492A9418131EF8D859837BEC97280E74A103C459ED08793ADF34A3
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1273400
                                                                                        Entropy (8bit):6.516132050961381
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:C5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkIogjkd9:CwNHwoYhua6MtERO4qbBJTY6mY1u9gK
                                                                                        MD5:5004BCCA237116BD2D00C8EDFD68D420
                                                                                        SHA1:067792234F129A179AE9C8BC0C4DC7F1519862D9
                                                                                        SHA-256:7D2270C167403F984DD601BA21E9CF228BE8D2F156A33CAD14529E477C90227F
                                                                                        SHA-512:B04847858876A4A10AC01FC6CC78BFD1939F4D535460DE57498806E8DFE9CC8A5AB445D3D632BAECB6A9C2270C6D983833BF8BFBF4D59813CDF2CF28AE1DCFDC
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):4251688
                                                                                        Entropy (8bit):6.506601585747478
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:vpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9k3hO2y/BG:EehFLvTQDpB5oSOmlWs
                                                                                        MD5:2D1AFD81B69BDB71E8752FBA29DBEFF7
                                                                                        SHA1:5ACE2DF88FD36BA3B059E9DD843E56FDDDBC43E3
                                                                                        SHA-256:913C4E2D675E4141241D736F7EE4579768AA92BAEED7AFF2599665810EA07A93
                                                                                        SHA-512:5CFC7635760A2DC46F377BD577BEB10762EEB02959F869360F690471E6C2CA925F00CC22FAE8330380F656E15091081138582352F2A2FFE6CCD5DD6433030458
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1319888
                                                                                        Entropy (8bit):6.504468342684673
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:gyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVKMA+nkDhF242oz5:giD2VmA1YXQHwlklb8boUuWPN24Z
                                                                                        MD5:2A860E6C0769147E3B8D3334220CB3CF
                                                                                        SHA1:132FD725E8DB41D80BF8F80AC88ED711A69985B7
                                                                                        SHA-256:179F9F3EED6CA07120C5F0C23B27CD78E4FBF47ACBE5F94A6F5D3474EA97B6DD
                                                                                        SHA-512:2F6E05C35939BB827B0C55335BF34252539BBA694CB39A282DC698C47C3FFEC095984C0341C991F7C1C7DA4667F8678D4BECEF1CF4F387D8C79749E7536EF89C
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1273400
                                                                                        Entropy (8bit):6.516132050961381
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:C5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkIogjkd9:CwNHwoYhua6MtERO4qbBJTY6mY1u9gK
                                                                                        MD5:5004BCCA237116BD2D00C8EDFD68D420
                                                                                        SHA1:067792234F129A179AE9C8BC0C4DC7F1519862D9
                                                                                        SHA-256:7D2270C167403F984DD601BA21E9CF228BE8D2F156A33CAD14529E477C90227F
                                                                                        SHA-512:B04847858876A4A10AC01FC6CC78BFD1939F4D535460DE57498806E8DFE9CC8A5AB445D3D632BAECB6A9C2270C6D983833BF8BFBF4D59813CDF2CF28AE1DCFDC
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):225232
                                                                                        Entropy (8bit):5.921842033117269
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CPcxiNNpCPPQPg2cluc/Xswbz8cz3quKoNX1gd:k9PcwVz4B8c37KoNX1q
                                                                                        MD5:C0877D9CC17715787EC3329EB0FAD7C1
                                                                                        SHA1:E51DA518D764E4982471BE235E096A8D11217A56
                                                                                        SHA-256:17C75E1739499E52B56470EED4C924379065703E8C665E449882E02856F96205
                                                                                        SHA-512:EE748102A0C002B25989E073585DD7A611A64E85CB0C57CBD6592733A038BC8EEDBCB8F917BBBED02D7759C5621F5B6B03A587B317FD13A4014CF113C4FC4C57
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):247760
                                                                                        Entropy (8bit):5.770986149607887
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CKW4l/DReos0gXf+EvC6C36eCWdMuoB+ISzBqUGxNtvKAbFP3cSEt0phcxAe:k9wl/DRfkTC3dM7B+mCivAT
                                                                                        MD5:86242784CC98EBA7A0B0A1833901F76A
                                                                                        SHA1:19178197143972E718023C5EA70F631971A4BC2D
                                                                                        SHA-256:AB99BD10F6FB73856BAF95E9D4AC0434DF660B74388E53206955B9B512F3350D
                                                                                        SHA-512:2AFEB5CAF7728E2EBD04D3BF42AD55AAC759CAA453FFDF6BAF0D8E7095782F90E165E3009ED619A7E8A3E62638C12D8C67016092972E193215DF9A3422ECB589
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):142288
                                                                                        Entropy (8bit):6.426113960826444
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85Cy684ePKoTB+IvoAewtxUff8aohGme+YDfYz8FrR7:k9yrTB+AleYIkifYUF
                                                                                        MD5:9AD6CF45A4476B8A6AFC310D5E410235
                                                                                        SHA1:07A614202F584361E48471CB3DBDB3FCD24E47FF
                                                                                        SHA-256:1655811CC8A1E4BC12127B20600F93AB3DE3CC467CED76ED99C04C83FF15763C
                                                                                        SHA-512:2737F8675AC768EDEA72CDF6F42579F1FC1ADE43122AFEE8971801ECB2F2E93DD10815DA419328D3BE26FEC7C633F881027BFF088877FF9F80BE96D5C106AABE
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):259024
                                                                                        Entropy (8bit):6.0902993716555995
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85C5XEV0tle+5IbvBCMmNginHy8lZoY46Mu/rLogrlKq9YXI35EvMl:k95UVwleMITTmNv1ohWsqYI354I
                                                                                        MD5:628F406DFCBB08B84171E530D77B3C9E
                                                                                        SHA1:0A22B2ECAB9EAD7F1D399773BD1BB1FC359EB708
                                                                                        SHA-256:482D936CBBF75D3C6248BFCE1B6E5546AB79DE4D4A715490F62CF8674517AF64
                                                                                        SHA-512:B9A97C76AA2A38273835DEC7C0A9E91C668038C5BC422BD92654C259865680F92B841115C92529A1AFC50E70CC358FDEB2981C8AE43852C6EE090A3AFF92AA6D
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):305120
                                                                                        Entropy (8bit):6.414707301174103
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k98FKucTm3RhMfoSG5dCd7hjAOe9UmXY2Gh++CgBlPMoX:XKucTm3RhMfoSBjA9U2Yxh+Zgb7X
                                                                                        MD5:9938BDFE29D3CFAC8D713DFD743243B8
                                                                                        SHA1:68CC77B8F114F34BE1A4A263D7F8736E857BBD12
                                                                                        SHA-256:9204357B6EB1CB6459E2B0B67FC95E3A80D90781E0C7F97D7294FB6563B20CF1
                                                                                        SHA-512:4F0C37C0BC405B483D11A80C5A23C1094ACB9E9CA48DDACC662E989AA21E301940018C08B5A861B482A06AFF2EA8AC9AAD0C8ABAB7E15628348764E779D306E4
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):142288
                                                                                        Entropy (8bit):6.426793148875817
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CtaivqozB+IvcZ4wrZU+l/8xoAm2+YDfYz8GrR/:k9FzB+Aw4CZNr2fYLl
                                                                                        MD5:2AFBE95A5B1815B2E957E569D2CEF5C4
                                                                                        SHA1:BD94E512E4EBBFA8D7BA255E66015DB721CA4801
                                                                                        SHA-256:B5385EBBA1FA3E8E1288780A37ADCFE065EC02C764BC539F60CF0BBC2949BAE6
                                                                                        SHA-512:0BD007F304E27149CC134004BC51ABD86AD3A701F72DDCD0A121399A73FFAC72061A6B027477DDCD29464C7F50232F7197DF5BA5A8432F051D40FAC225512951
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1640416
                                                                                        Entropy (8bit):7.912831259553018
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:1wy53G70SeiN9YqxCCg83udcWXDYajPF2410wuRpGfFki94qSe/wsNfzUG:6y53w24gQu3TPZ2psFkiSqwozX
                                                                                        MD5:DCC61986BC0A26675681559C484E15FB
                                                                                        SHA1:6F413F9D4A2B64A6F9DCA21B9310EBFF186D6E16
                                                                                        SHA-256:A341E8D1C1BA0A82635135A5A24089C3EA484066B02E28B1CAFCEB1628BF53EB
                                                                                        SHA-512:2C93519CBBE6B0AFAE36A696EDC6C33A25808D562A286BA278DB0418440BA4DE7B27823F13114581D3F2C830BB3261D634622CDB4053EA28EBD4BCFF3216CFAE
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):144866
                                                                                        Entropy (8bit):6.240317481153233
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CORD5b0qZ7y4jem7y6tkNRCywDw1DiJkuKUY:k9UD5lZ7y4j9KT4DteUY
                                                                                        MD5:6A1BE74AD1EE28433BF1549DFA813DC9
                                                                                        SHA1:A4BBC87890CA7463AEC75B963291A69B65390653
                                                                                        SHA-256:BC21B225F668AE2C3B8439ADB91969D39F711E9D57B557AD79FAD8FD8AEB2085
                                                                                        SHA-512:8A0033D4D5B82856CE0826B9DD90B792BF9E9641463DAC1DAE83ED6E3F18F384AB6CC5E0998615A8DCE5BD6CD360E17BCE85C1FF8AA45B08A95383D89D228B0B
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):280480
                                                                                        Entropy (8bit):6.386490869107258
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9wPr2vXzrEbslNp/JNsJKQl0GkRAqVNf0O3:/DQXRVTZu0GP+ZR
                                                                                        MD5:F7B6F7CA5E4D9AD2DD9B1887D57CFF86
                                                                                        SHA1:2E0494EF5F5603FCBB0F12F593F3F401930C2FDF
                                                                                        SHA-256:26EB1DC3EBA8950CF5D8663EE94CA6105BE1227DD239B81FF571B4372D49D320
                                                                                        SHA-512:181262E06BE2C01A7BDFCD4DEA634D71FD39D795339FA6A3FB327FE7E75BBB12C0B5AFC1E8811DDACA14654268D0D26E828BE1AE475B05503626684AF7190009
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):4473576
                                                                                        Entropy (8bit):6.569965325360163
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:pkkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:pkkCqaE68eV+0y8E6L1
                                                                                        MD5:809D03153D2FCC1C9E1EE574DDF7CD2E
                                                                                        SHA1:CF1FC95A34AFC5A2FB39504D973BC8380A04BAC1
                                                                                        SHA-256:C2A715F1396DCDAA9360FB09B89992EE8619362062DFBD6C90CFF751C5272032
                                                                                        SHA-512:094FE1BC30027336DFE6A32520DB39D8D27AD1A69716E7E00D6B66D44CFB4EAADBD8D48B6D80BC0D00C60EF0E3483437C82D2185BD704137CB544B11063820DA
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):501656
                                                                                        Entropy (8bit):6.318829677338838
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:yLH18t6x1hjaNHBlfBVDZS82JninSFVlDW:yLOwxyNHBVEHRiSFVlDW
                                                                                        MD5:9FB296CF47C4D3E0FEF4974685EBE922
                                                                                        SHA1:201293BEEB98FB83D118323C4803590E8C88E060
                                                                                        SHA-256:5E21FE2FE640F209EB75B696C3334E577D2035436206C88C1F2E676CF560B75F
                                                                                        SHA-512:CA9999251A1905BCA32D46857BD1213D37F2D33689E4D818FC006B88B84AA49AD9DB07B0C4D33361EFC0BFC697F705AEAF90D762C6CFAB3C9A9644BA73D750E3
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1637776
                                                                                        Entropy (8bit):6.316717941409346
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:P7Z1jyzcKSmKsvwMZJ1XBsn/gu2bRC6dulyyn2WdXM6cWlLIJ:zZ1tKTwMZJ1XBsn/UC6dugWA
                                                                                        MD5:987399D498F6C2C7196A60504DCBA1F6
                                                                                        SHA1:7A48D6492B9BB936EABAA4C979BD25F87AB3F9B7
                                                                                        SHA-256:9F924F7B9B84FBB73E29C707D1C1D61AC00A3AB295BF1BA9754E2189D6E4BC24
                                                                                        SHA-512:DE1F5790664A48EE5001541BAE7727431467A65B54EFB43412B1EB474DF6477110E98B8DA1168478B0CED1FA8DDBF69FE7BA209F69FDF9BB58F964A514B12E36
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):224632
                                                                                        Entropy (8bit):5.625757771676373
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CBFtCsHjgU7HOg6KTe/+EypudsD22QnSUEhydebz41:k9Ttx0SA+EySaQKeUz41
                                                                                        MD5:0FD839CB7D94AF1C672BA149E6C580A8
                                                                                        SHA1:12CB0350EC3AEFBC189A117621DBFDCE5DBB6E86
                                                                                        SHA-256:E033F780C0F8E58FD81724A1B5B02CCFFF788553B2F5308E4EB46DB37E30F9F4
                                                                                        SHA-512:F54057339522E8B1C30550BCCB56B420894FEF6B51F53709A88105362AD09F5A83FC1478BF8D7CD7A0B48D56BE5DCEB8597B71B989743133B2954DEA0E364A41
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):431336
                                                                                        Entropy (8bit):5.904107554819713
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9GzBRUKCBTwZVr2miTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVV+:/zBRnCBOrsBOBf
                                                                                        MD5:641CC24F3AFB9E381161F17600323269
                                                                                        SHA1:0A390D9A57B534A9A1C0CC441D9CBD9998608140
                                                                                        SHA-256:8B5A689B0DB4EFE44C0601A89E97BA126F1E4EA943621B8EE444ED85EEA50CAA
                                                                                        SHA-512:67BDB822FE0F484E60B7FA0944A4123D68C1F8B94E70D51F5F336C312F409CF7098EEB828D1A7A13138C7833A3689A7D226D909B1AAA3800EF491D88C39CBB03
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):175160
                                                                                        Entropy (8bit):5.997921392487593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CE/VpSIcnsHKTe8LnZCA5OfkQAm95kQOJeqx6u:k9EtkIpdA5OfzDUeqx6u
                                                                                        MD5:707EB4DC866F98B2701F57899DC19D51
                                                                                        SHA1:59F9AA5CCB0EE3276F74C23ADD327342EF5B10AE
                                                                                        SHA-256:F7DE47E26A16EB2459CD7FDC979BD30D0B50089D39433399EDA465023A0BD0BD
                                                                                        SHA-512:C95D902254391B0D3ABD3A07930701E173808413E1F32BA1084F04EB5678EBC87ACAC2EA4BB6B26FE0550D78525EA3F54683FB9567A995B1318B5D9340E514FD
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3162480
                                                                                        Entropy (8bit):6.46880916383348
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:znW4jqFRZega3xejvY7GQOx4K1fm15FKqO7t78Ity6fod76lmlW8U:ys3OBj4UmOH
                                                                                        MD5:EAB4618E120B951B8FADB9965EF352D7
                                                                                        SHA1:C706F3479276CE840541862BBBD2C1530362BA03
                                                                                        SHA-256:7D252BE50728CA3389124956E16D41F0AD14BB8C6F08D768F8A6555E25EA0F47
                                                                                        SHA-512:8F69D95D0D39C8566F3EB1D456AE98285D36852278F474CAC382BF37FCB70714B4747F1984874A16B4850678C93C5170CF37E3A19E2EB89FC5881F00B9E527F2
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1309408
                                                                                        Entropy (8bit):6.496342895106016
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:5+sGOL9NLM3r4Viwj6KLqGua43loEeUFmwv:54AA4eGua43lgUFrv
                                                                                        MD5:B39DF380C20D63215708AA6263BE495F
                                                                                        SHA1:4CE3BE7169E222E787A3E8238D53C32324981894
                                                                                        SHA-256:36728B9A21D2A5927D9B4F5C02C0F5899DFB80ABD01F371342510DBBACFE2BCA
                                                                                        SHA-512:42B087413B27B741EB2470A6C7F64571542B20AA43C5B29A43C290A3E83960DAEA82974F6C187DA70655B175D5FFBA3FF04608CF54F8832DB7ED2DA715DCACD6
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):922944
                                                                                        Entropy (8bit):6.462019359288523
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:V9/Bro8OEYbhEdbsrg4Sxz2/Sl92ncG15fQ224i5pQ+poPCcqyt4:L/BrnYuqFcL3pQ+pDX
                                                                                        MD5:A4A4D70FB8EFBD8702F5F5CA3F2225B7
                                                                                        SHA1:3AB16972E6ECEE5162F4264AAB2B78AE5A6D9AFA
                                                                                        SHA-256:C8D5E992C3F31B60874957E81FC5C419F569CBC8FC3EF57F84F42F7E742C9EEF
                                                                                        SHA-512:92E72BCB8526AA833D6A8E5E77994C15ADABC50F8742C5075532FE281DD4F309827584868F0F19E659E90B4EAEB520F80EAB3116A14D6546DCC85973A638CEA8
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):501544
                                                                                        Entropy (8bit):6.318210992294509
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:yLH18t6x1hjaNHBlfBVDZS82Jn8YSFVhwDW:yLOwxyNHBVEHR8xFVhwDW
                                                                                        MD5:AED258F1B9A23FDB9CC5E4485138E644
                                                                                        SHA1:EAE5C3DB91C7DDF0B773CA86D0596D05687E0C93
                                                                                        SHA-256:615D5E9AF84BA2817673B9CF42EC923DDAA24EB351AF72C8F0521CCFBC823F99
                                                                                        SHA-512:65B31506659AEF8E650E19EAB25EC0772901650D0376A76EE259FB045F4FE943D583EB70FA9F844A9792968A4902B3D1E65426333B5DEB8AC7E625C822C74E99
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1637776
                                                                                        Entropy (8bit):6.3167820027975505
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:PzZzKrsdCmasrf9Xr5wzW27+w3E4nZ1jDkCZTunfmrd/Mq8pqiV+yeci+HMJ:7Z5d3f9Xr5wzW2x3E4vDkCZTEJ+3
                                                                                        MD5:7001415B4FEAD5C33EC776F878BEFC14
                                                                                        SHA1:9D27556E97A7CAE67486D6F3FD57530274227E84
                                                                                        SHA-256:3C65FA71938F8F8AAEF99B20567427A50E2081B52B01799E6DE0922E577A4F09
                                                                                        SHA-512:83A26C44B7E7F2E2F28F57D39EC624F9F56C19EB38121A8AEF6B279852746831466D76CA16B93EB0979B8FB4EF5FD93A74F411F25EB9EF2127EDC376365895E9
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):224632
                                                                                        Entropy (8bit):5.625443062700148
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CJNzQsUdR7ROPHKTeA+EyBEBsLj6mCv0MC+8w+l+jDYgb:k9jzrUdH7+Ey6yxCyncDYgb
                                                                                        MD5:6E3952F20879578A8938CDACB7536183
                                                                                        SHA1:983C0C98D8E38CB7D3E461370320B3B31258439E
                                                                                        SHA-256:2689FF014A00F6110EACAF335538BC57AE4DB0681C9C0B3E5B0F3DAD33EF0011
                                                                                        SHA-512:98B18D03FC15933A1FB4E9EB6965E5BAEE9BD2376D3F3A30D5900CD309DAB041FBE1D99716C086D3ABC3F8277D7E12DC8E6B5378E3C92B7633982672EDF2CDD3
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1922888
                                                                                        Entropy (8bit):6.54227144741344
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:txzduwxBjJMXDUlxqK/PDLWf+kfilcOk+4AgAQx:JuADax
                                                                                        MD5:6EAF653BEC36CC61FFAAA74C2461CAE2
                                                                                        SHA1:FBDDB56574DE87B9BC9D2A23BF4FFAC80020C313
                                                                                        SHA-256:80056A156E3C10D8B335E1AA5D0B9F3B426CF7698B120A7CB593A745C40B0D78
                                                                                        SHA-512:A6121E79CC254EC625590C81AF2281A2C1C591AD751690D8F2A68055B77E3ED0866E1166126453F218F5C45423F5059379BC0487A756E5299D72E87EEF7C2B53
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):431256
                                                                                        Entropy (8bit):5.903632333497157
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:k9mDBRMKC2DARcy85smiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVL3:/DBRPC23DWqOhf
                                                                                        MD5:05E8468F3C11C655FA5C0393FC91B745
                                                                                        SHA1:3C41A0398A82AC6C949DFE0F5A444C47AE05B9E5
                                                                                        SHA-256:659B9F92E7340FA757458CF6E4C4EED5EF8680C5C203D1BC9C7C5BF44CAE2BE2
                                                                                        SHA-512:C762C38321BC4B12EF0CDD9BC51B2B8D2C3B817B62D5F27ADF0A5CFC26A3AC846A2CACD27668AD9997F30BA795668820CA948D54037DD2918B27A6584BB4B8CA
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):175056
                                                                                        Entropy (8bit):6.000125322491865
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85CLBGrjhgGcKTeA4yJjAYykykBdg+FoQOJb/B1a:k9LgfhFAYykySfUb/B1a
                                                                                        MD5:122C5EEF72C8E9945312BCC27CDFA1C2
                                                                                        SHA1:073B5DBC1755095FE4A2037B9B3B63D153113156
                                                                                        SHA-256:8A8EC674356DABE752037E162860B7A4FAB54635DAF6A1E112FC1894B72BABBE
                                                                                        SHA-512:64F0B2AA151D83E51D754345EB149B209AD3741699E7272351D6711D4419ECEB14A2A9667479735F082D167373B9DF154460E92B7870FD2F9F6A0CA180F20BBD
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3158376
                                                                                        Entropy (8bit):6.464089113147873
                                                                                        Encrypted:false
                                                                                        SSDEEP:49152:Y7Inw/bT9uzlAndnpufoDbRwU/xv3lNOsWReEQZeEO1QOiPQOo4r+U:8/VmUAYrj
                                                                                        MD5:90F78071E0C92AADC17864CB0C11ED36
                                                                                        SHA1:406DBDF1785C49037A1729432A30FE2753EF3662
                                                                                        SHA-256:16CDB9A6B078E8F3655310B3DF161BB481DFD041BE65B3F302C823F699925431
                                                                                        SHA-512:869AE6FA1F7A167A21A21277423A054CF1995377A7B4FA6C5E7C58DFA9D07EC46DEC7C9B8B74515CB0C6FE392449DCA836A05F2541F5844E0E2754D4A9C9FD07
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1309536
                                                                                        Entropy (8bit):6.495307594774125
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:zvbIUnHtg+i54V0tqDNbu5kDIPQy+NTD4XnFzr:zzXzdMkDIPQy+Nv4Vr
                                                                                        MD5:56C6D475B98686A5C3C848B232662383
                                                                                        SHA1:23C37E7B08D8B644CA18688643A3867CFAB64B64
                                                                                        SHA-256:561F20A7B1FD4E51894C8DEF981DADA325A54C0AB355CE28E858BE06FE6C0526
                                                                                        SHA-512:92DCD39C7D6ADB080714547D8E80CC0D6B7269B86457617999FEB06A7C8B2D6FD62F4D461CCA991298FA4EC66D2E85F41E31A2E748AD98E5841F79A64F00E03A
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):922960
                                                                                        Entropy (8bit):6.4621080170674
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:V9/Bro8OEYbhEdbsrg4Sxz2/Sl92ncG15fQ224i5pQ+pouCcqC7D4:L/BrnYuqFcL3pQ+pYmE
                                                                                        MD5:A7CD28CC20BCFBF2AB1B81FE970DFABF
                                                                                        SHA1:3C0D0B85304CA47F87480DD8AB0C42838A438509
                                                                                        SHA-256:CFDBEC3C2769A41631B4B1310C46A1CE5BBDE097592E52266F94425DFDE52EE2
                                                                                        SHA-512:AAEA29865EE94F5AEB7D013DE499B7813FBC31D9501AEEE6A16CDF60D1BD8DD2F59C9D650302F79CB85C9DDE721A776EB189759A1F3B4ABEAEFA78E261E59790
                                                                                        Malicious:true
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):692064
                                                                                        Entropy (8bit):7.195091714831986
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:kskY7gjcjhVIEhqgM7bWvcsi6aVUfIy+U40vy3W/ceKSHMsiFyY6XNmnMwJ:ksZgjS1hqgSC/izkfFjymk4HM5yJwMK
                                                                                        MD5:2BBCB1E61E3B17B7F89D97FA21A3881D
                                                                                        SHA1:C90D9A55FFB5BD4FC7318B542DDE1F72A2341334
                                                                                        SHA-256:A2606AED76695606C291929D55A32A5CE51A9981A1471E24A2F33FCC5B97037F
                                                                                        SHA-512:657172F611FD934DA6DC59544043EF046948DC6052CFDA142008CB342E7264FC0701D7160B3D2774DA63B4354E9B967480FF0007A30DF9D83088842222C0A8B3
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe
                                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                        Category:dropped
                                                                                        Size (bytes):71954
                                                                                        Entropy (8bit):7.996617769952133
                                                                                        Encrypted:true
                                                                                        SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                        MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                        SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                        SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                        SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                        Malicious:false
                                                                                        Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):328
                                                                                        Entropy (8bit):3.2291731433207413
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:kKVl99UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:daDImsLNkPlE99SNxAhUe/3
                                                                                        MD5:5890F1F8E6C3869EFC42566C4EDCF99B
                                                                                        SHA1:9A964E3A15249274CDAB9E2C9EB141B4BD62765B
                                                                                        SHA-256:DB9858F230D7CA3987B8AC868E12AFEEB9F9ACE8C104FF72D5B5585A90D1DCB1
                                                                                        SHA-512:3524F5D994645E37F85C890BB7F3BA9285A504D1B9890991D102093DC4D4BA2159DF7A254B680319AF6AC4BB57DE7510D34C2A0FA77D9BE6A6DFDC00A20E6C8C
                                                                                        Malicious:false
                                                                                        Preview:p...... ........*X.o....(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\REMOTE~1.EXE.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):520
                                                                                        Entropy (8bit):5.355496254154943
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
                                                                                        MD5:3C255C75EA6EB42410894C0D08A4E324
                                                                                        SHA1:34B3512313867B269C545241CD502B960213293A
                                                                                        SHA-256:116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
                                                                                        SHA-512:41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
                                                                                        Malicious:false
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RemoteDestopManagerx86.exe.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):520
                                                                                        Entropy (8bit):5.355496254154943
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
                                                                                        MD5:3C255C75EA6EB42410894C0D08A4E324
                                                                                        SHA1:34B3512313867B269C545241CD502B960213293A
                                                                                        SHA-256:116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
                                                                                        SHA-512:41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
                                                                                        Malicious:false
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bWrRSlOThY.exe.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):520
                                                                                        Entropy (8bit):5.355496254154943
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
                                                                                        MD5:3C255C75EA6EB42410894C0D08A4E324
                                                                                        SHA1:34B3512313867B269C545241CD502B960213293A
                                                                                        SHA-256:116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
                                                                                        SHA-512:41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
                                                                                        Malicious:true
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                                                        C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):148480
                                                                                        Entropy (8bit):7.268567993359371
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:PzWN5R3KoJXv0rFbKKCYSy5PwoeCe92crn0:U5RhMpbKKosPwo68Cn
                                                                                        MD5:31DFB639DA08EFDBE7FF7E289C199ECE
                                                                                        SHA1:F4FA72A23C7D3D1B3DC2760BBF581378357FB633
                                                                                        SHA-256:CAEC4DB1A3C53250A2F0F884F99383DDFFFA7B437FE2AE492F305B68ECCE196D
                                                                                        SHA-512:78F7A8E6AB843EC58C71CC0387775C10E3351F1085900B5B81D137069D09CC2CD618F962E1CEFC312C7086EE3F72E245EDC003627943E5E731A9DC065702CC38
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.....................l......E.... ........@.. ....................................@.....................................J........h........................................................................... ............... ..H............text...K.... ...................... ..`.rsrc....h.......j..................@..@.reloc...............B..............@..B................+.......H...........<]......O...........0........................................0..........8.....:....&8..........~.... ....(....o...........~.... ....(....o...........~.... ....(....o...........~.... ....(....o...........~.... ....(....o....~.... ....(....(......+...o....(......(......X...1.(....*s....8+....8,....8+.......(....*b.....+.+.*(....+.(....+....v~.... ....+.+.*(....+.(....+...v~.... ....+.+.*(....+.(....+...b.....+.+.*(....+.(....+.....0..7...............+$.....+ .......

                                                                                        C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):148480
                                                                                        Entropy (8bit):7.268567993359371
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:PzWN5R3KoJXv0rFbKKCYSy5PwoeCe92crn0:U5RhMpbKKosPwo68Cn
                                                                                        MD5:31DFB639DA08EFDBE7FF7E289C199ECE
                                                                                        SHA1:F4FA72A23C7D3D1B3DC2760BBF581378357FB633
                                                                                        SHA-256:CAEC4DB1A3C53250A2F0F884F99383DDFFFA7B437FE2AE492F305B68ECCE196D
                                                                                        SHA-512:78F7A8E6AB843EC58C71CC0387775C10E3351F1085900B5B81D137069D09CC2CD618F962E1CEFC312C7086EE3F72E245EDC003627943E5E731A9DC065702CC38
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.....................l......E.... ........@.. ....................................@.....................................J........h........................................................................... ............... ..H............text...K.... ...................... ..`.rsrc....h.......j..................@..@.reloc...............B..............@..B................+.......H...........<]......O...........0........................................0..........8.....:....&8..........~.... ....(....o...........~.... ....(....o...........~.... ....(....o...........~.... ....(....o...........~.... ....(....o....~.... ....(....(......+...o....(......(......X...1.(....*s....8+....8,....8+.......(....*b.....+.+.*(....+.(....+....v~.... ....+.+.*(....+.(....+...v~.... ....+.+.*(....+.(....+...b.....+.+.*(....+.(....+.....0..7...............+$.....+ .......

                                                                                        C:\Users\user\AppData\Local\Temp\chrome.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):182272
                                                                                        Entropy (8bit):6.784375621590053
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:sr85C/sWLuzeHpl18fCtnRPF9EVnb43jaI5gr/uHqZLWfp2KkvL5kdnQB:k9/9mCtnRPF9cCGr/uH0gkSdQB
                                                                                        MD5:73F73E565BCCA28C58B8CD91DC1056AD
                                                                                        SHA1:AB7B58E90994D016DFD7937556FDEA6FE13ABA22
                                                                                        SHA-256:A0AC3CF26C12A9727FE6986DB32F255CBBCD6E45B063022E79C74DBD3787546C
                                                                                        SHA-512:460230C3F943A4626BFF45040B26D0C542140DD7EED6F58FF0D9412125359219DAE252080ACF27A2DAC15AC6C9FE4A32277D185D727841D0B719DF4D3356225E
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Users\user\AppData\Local\Temp\chrome.exe, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\chrome.exe, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\tmp5023.tmp

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                                        Category:modified
                                                                                        Size (bytes):8
                                                                                        Entropy (8bit):3.0
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:T11k:TM
                                                                                        MD5:2B5651FC59C22DC799F2246B0E03D025
                                                                                        SHA1:2C72137BE51D9142184CE29719CF0C46AF904F52
                                                                                        SHA-256:58F8734B486C01D7AC0E5C3E9359087EF8A7DA5BD9377C321A5F71C06AB2B64A
                                                                                        SHA-512:0784FE4A43BAFE947B0A3CBA273B1E3A8F4F06F9FA5341E658871E42C9025FFDDBE5DF01FD0CF8797C1BE384F80B0D0448DBDED5652EB14BD97E8170C4D5917F
                                                                                        Malicious:false
                                                                                        Preview:#J...&A

                                                                                        C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):148480
                                                                                        Entropy (8bit):7.268567993359371
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:PzWN5R3KoJXv0rFbKKCYSy5PwoeCe92crn0:U5RhMpbKKosPwo68Cn
                                                                                        MD5:31DFB639DA08EFDBE7FF7E289C199ECE
                                                                                        SHA1:F4FA72A23C7D3D1B3DC2760BBF581378357FB633
                                                                                        SHA-256:CAEC4DB1A3C53250A2F0F884F99383DDFFFA7B437FE2AE492F305B68ECCE196D
                                                                                        SHA-512:78F7A8E6AB843EC58C71CC0387775C10E3351F1085900B5B81D137069D09CC2CD618F962E1CEFC312C7086EE3F72E245EDC003627943E5E731A9DC065702CC38
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.....................l......E.... ........@.. ....................................@.....................................J........h........................................................................... ............... ..H............text...K.... ...................... ..`.rsrc....h.......j..................@..@.reloc...............B..............@..B................+.......H...........<]......O...........0........................................0..........8.....:....&8..........~.... ....(....o...........~.... ....(....o...........~.... ....(....o...........~.... ....(....o...........~.... ....(....o....~.... ....(....(......+...o....(......(......X...1.(....*s....8+....8,....8+.......(....*b.....+.+.*(....+.(....+....v~.... ....+.+.*(....+.(....+...v~.... ....+.+.*(....+.(....+...b.....+.+.*(....+.(....+.....0..7...............+$.....+ .......

                                                                                        C:\Windows\svchost.com

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):41472
                                                                                        Entropy (8bit):6.286798943623423
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ:JxqjQ+P04wsmJC
                                                                                        MD5:0D5E5847E431EF73C3DF72461943B8BF
                                                                                        SHA1:CCF446766B63B7A77B2B989F8ABDC73A7EC73C44
                                                                                        SHA-256:46B66FE0E8617D2ED37212A95EBEFB95E4277E4464B0C16C52E7E55E7810887B
                                                                                        SHA-512:EA499A86A60C33F5BAE5B95E68DCA4FDA4642CA94336CA1C032A20D065643FB05C176816BA89E28580B6AC1AC3E6223A130E81183304EEE6C16DDFF22B2FF333
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Windows\svchost.com, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Windows\svchost.com, Author: ditekSHen
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Entropy (8bit):7.169843905766459
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.36%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.31%
                                                                                        • Win32 Executable Borland Delphi 6 (262906/60) 1.30%
                                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        File name:bWrRSlOThY.exe
                                                                                        File size:189'952 bytes
                                                                                        MD5:a2ce48432527c70571d0851c190dbc10
                                                                                        SHA1:77be1e6207462d2826faf1207960e01a26e30173
                                                                                        SHA256:0b35e26564684a04734c5e5e2b83957ef5138a945109c6afed27dd3b07d1a370
                                                                                        SHA512:333bbdfd2a098114b0ea7a2665bcbe005b7dc2fb98d74fbff53b8ea9ba291ccf068457f91843ebc7eacb99b9f5ffa372e1995ff2971a880db4e4ad57b1bf4f02
                                                                                        SSDEEP:3072:sr85CW0rFbKKCYSy5PwoeCe92crn0V2zWN5R3KoJXI:k9RpbKKosPwo68Cny75RhY
                                                                                        TLSH:0104AD75AFC08E73D9690EBDB867124FC3B0EC363926D3471C9A31A959363DA1D1A183
                                                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                        File Icon

                                                                                        Icon Hash:71e0d49292c0f033

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x4080e4
                                                                                        Entrypoint Section:CODE
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                        DLL Characteristics:
                                                                                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:9f4693fc0c511135129493f2161d1e86

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        push ebp
                                                                                        mov ebp, esp
                                                                                        add esp, FFFFFFE0h
                                                                                        xor eax, eax
                                                                                        mov dword ptr [ebp-20h], eax
                                                                                        mov dword ptr [ebp-18h], eax
                                                                                        mov dword ptr [ebp-1Ch], eax
                                                                                        mov dword ptr [ebp-14h], eax
                                                                                        mov eax, 00408054h
                                                                                        call 00007FCF58D00827h
                                                                                        xor eax, eax
                                                                                        push ebp
                                                                                        push 00408220h
                                                                                        push dword ptr fs:[eax]
                                                                                        mov dword ptr fs:[eax], esp
                                                                                        mov eax, 004091A8h
                                                                                        mov ecx, 0000000Bh
                                                                                        mov edx, 0000000Bh
                                                                                        call 00007FCF58D03971h
                                                                                        mov eax, 004091B4h
                                                                                        mov ecx, 00000009h
                                                                                        mov edx, 00000009h
                                                                                        call 00007FCF58D0395Dh
                                                                                        mov eax, 004091C0h
                                                                                        mov ecx, 00000003h
                                                                                        mov edx, 00000003h
                                                                                        call 00007FCF58D03949h
                                                                                        mov eax, 004091DCh
                                                                                        mov ecx, 00000003h
                                                                                        mov edx, 00000003h
                                                                                        call 00007FCF58D03935h
                                                                                        mov eax, dword ptr [00409210h]
                                                                                        mov ecx, 0000000Bh
                                                                                        mov edx, 0000000Bh
                                                                                        call 00007FCF58D03921h
                                                                                        call 00007FCF58D03978h
                                                                                        lea edx, dword ptr [ebp-14h]
                                                                                        xor eax, eax
                                                                                        call 00007FCF58D01262h
                                                                                        mov eax, dword ptr [ebp-14h]
                                                                                        call 00007FCF58D017F6h
                                                                                        cmp eax, 0000A200h
                                                                                        jle 00007FCF58D04A17h
                                                                                        call 00007FCF58D03EF6h
                                                                                        call 00007FCF58D04709h
                                                                                        mov eax, 004091C4h
                                                                                        mov ecx, 00000003h
                                                                                        mov edx, 00000003h

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x150000x864.idata
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x1400.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000x5cc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x170000x18.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        CODE0x10000x722c0x7400ca3464d4f08c9010e7ffa2fe3e890344False0.6173558728448276data6.511672174892103IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        DATA0x90000x2180x4007ffc3168a7f3103634abdf3a768ed128False0.3623046875data3.1516983405583385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        BSS0xa0000xa8990x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .idata0x150000x8640xa006e7a45521bfca94f1e506361f70e7261False0.37421875data4.173859768945439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .tls0x160000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .rdata0x170000x180x2007e6c0f4f4435abc870eb550d5072bad6False0.05078125data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                        .reloc0x180000x5cc0x60016968c66d220638496d6b095f21de777False0.8483072916666666data6.443093465893509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x190000x14000x1400a7964ed886b0ef28758697815c148f0aFalse0.2154296875data3.835366447797633IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_ICON0x191500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4264RussianRussia0.10975609756097561
                                                                                        RT_RCDATA0x1a1f80x10data1.5
                                                                                        RT_RCDATA0x1a2080xacdata1.063953488372093
                                                                                        RT_GROUP_ICON0x1a2b40x14dataRussianRussia1.1

                                                                                        Imports

                                                                                        DLLImport
                                                                                        kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                                        user32.dllGetKeyboardType, MessageBoxA
                                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                        oleaut32.dllSysFreeString, SysReAllocStringLen
                                                                                        kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                        advapi32.dllRegSetValueExA, RegOpenKeyExA, RegCloseKey
                                                                                        kernel32.dllWriteFile, WinExec, SetFilePointer, SetFileAttributesA, SetEndOfFile, SetCurrentDirectoryA, ReleaseMutex, ReadFile, GetWindowsDirectoryA, GetTempPathA, GetShortPathNameA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesA, GetDriveTypeA, GetCommandLineA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, DeleteFileA, CreateMutexA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                        gdi32.dllStretchDIBits, SetDIBits, SelectObject, GetObjectA, GetDIBits, DeleteObject, DeleteDC, CreateSolidBrush, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
                                                                                        user32.dllReleaseDC, GetSysColor, GetIconInfo, GetDC, FillRect, DestroyIcon, CopyImage, CharLowerBuffA
                                                                                        shell32.dllShellExecuteA, ExtractIconA

                                                                                        Possible Origin

                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                        RussianRussia

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-10-01T15:47:18.825947+02002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1172.94.108.1437784192.168.2.649712TCP
                                                                                        2024-10-01T15:47:18.825947+02002030673ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1172.94.108.1437784192.168.2.649712TCP
                                                                                        2024-10-01T15:47:18.825947+02002035595ET MALWARE Generic AsyncRAT Style SSL Cert1172.94.108.1437784192.168.2.649712TCP
                                                                                        2024-10-01T15:47:18.825947+02002035607ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1172.94.108.1437784192.168.2.649712TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Oct 1, 2024 15:47:18.084773064 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:18.091103077 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:18.091192961 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:18.106568098 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:18.111597061 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:18.812599897 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:18.812633991 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:18.812711000 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:18.818296909 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:18.825947046 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:19.037847996 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:19.080720901 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:20.513242960 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:20.518106937 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:20.518477917 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:20.523693085 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:29.878875017 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:29.883743048 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:29.883893013 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:29.888659954 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:30.263173103 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:30.315195084 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:30.435594082 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:30.445151091 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:30.450753927 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:30.450939894 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:30.455760956 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:39.264728069 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:39.487040997 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:39.799504995 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:40.016434908 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:40.016509056 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:40.018412113 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:40.228185892 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:40.268239975 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:40.388295889 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:40.390130043 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:40.395025015 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:40.395090103 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:40.400013924 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:42.052989006 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:42.096405983 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:42.220611095 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:42.268294096 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:48.628262997 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:48.633371115 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:48.633445024 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:48.638456106 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:49.013588905 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:49.065175056 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:49.203389883 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:49.205555916 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:49.210416079 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:49.210513115 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:49.215451956 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:58.003288984 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:58.008193016 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:58.008245945 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:58.013364077 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:58.493629932 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:58.533993006 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:58.654654026 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:58.656466961 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:58.661324978 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:47:58.661389112 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:47:58.666163921 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:07.378169060 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:07.596431017 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:07.908930063 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:08.019130945 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:08.019155979 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:08.313251972 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:08.454015970 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:08.502643108 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:08.625175953 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:08.626521111 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:08.631390095 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:08.631501913 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:08.636380911 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:12.078741074 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:12.127672911 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:12.248760939 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:12.299560070 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:16.785455942 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:16.790290117 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:16.790357113 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:16.795479059 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:17.185631037 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:17.237054110 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:17.358361006 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:17.361633062 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:17.366441965 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:17.368618011 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:17.373827934 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:26.159859896 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:26.164707899 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:26.164763927 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:26.169593096 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:26.546993971 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:26.596424103 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:26.723853111 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:26.725780010 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:26.730937958 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:26.731005907 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:26.735860109 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:30.320930004 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:30.325790882 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:30.326968908 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:30.331871033 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:30.706895113 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:30.752880096 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:30.874639034 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:30.876533985 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:30.881315947 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:30.881366014 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:30.886183977 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:35.784482956 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:35.789311886 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:35.789382935 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:35.794238091 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:36.188071012 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:36.237051964 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:36.369296074 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:36.375080109 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:36.380078077 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:36.381649017 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:36.386679888 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:42.055174112 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:42.096429110 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:42.224998951 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:42.267339945 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:42.514560938 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:42.514672041 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:45.160753012 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:45.165501118 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:45.172691107 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:45.177505016 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:46.441705942 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:46.442935944 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:46.442986012 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:46.443038940 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:46.443088055 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:46.443969011 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:46.444015980 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:46.444856882 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:46.453512907 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:46.453572035 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:46.458332062 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:46.958604097 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:46.963484049 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:46.963924885 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:46.968683958 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:47.522161007 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:47.526098967 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:47.526465893 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:47.527884007 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:47.532649994 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:47.541601896 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:47.546469927 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:56.334635019 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:56.339464903 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:56.339582920 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:56.344398022 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:56.713304996 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:56.768313885 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:56.875019073 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:56.924545050 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:56.965548992 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:56.970570087 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:48:56.970623016 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:48:56.975641012 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:00.834136009 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:01.048119068 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:01.093111992 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:01.093168974 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:01.098411083 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:01.098422050 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:01.315548897 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:01.362071037 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:01.484127998 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:01.485831022 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:01.490824938 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:01.490869045 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:01.495703936 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:03.628295898 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:03.633155107 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:03.633265018 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:03.638163090 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:04.009872913 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:04.065642118 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:04.171994925 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:04.176651955 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:04.181560040 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:04.181822062 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:04.186788082 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:04.457256079 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:04.462150097 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:04.463084936 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:04.467920065 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:04.735620022 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:04.910804033 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:04.910864115 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:05.403482914 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:05.408488035 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:05.408533096 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:05.413330078 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:08.222244024 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:08.227133036 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:08.227817059 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:08.232675076 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:08.618824005 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:08.667258024 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:08.780786037 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:08.782480955 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:08.787337065 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:08.787379980 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:08.792231083 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:12.185338020 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:12.253376961 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:12.253452063 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:17.597042084 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:17.601851940 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:17.601979017 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:17.607028008 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:17.979547024 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:18.135364056 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:18.140404940 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:18.142340899 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:18.147198915 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:18.147267103 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:18.152092934 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:26.973659039 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:26.978589058 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:26.985656977 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:26.990565062 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:27.383423090 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:27.456553936 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:27.548192978 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:27.550326109 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:27.555229902 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:27.555424929 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:27.560316086 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:29.472064018 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:29.478549004 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:29.478666067 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:29.485024929 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:29.849662066 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:29.917862892 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:30.015763044 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:30.017438889 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:30.022258997 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:30.022367001 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:30.027225018 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:33.865219116 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:33.870317936 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:33.872817993 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:33.878329992 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:34.240705967 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:34.284012079 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:34.405026913 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:34.406811953 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:34.412014008 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:34.412095070 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:34.417012930 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:37.458687067 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:37.463985920 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:37.466701031 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:37.471879005 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:37.838526011 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:37.893580914 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:38.002505064 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:38.005403042 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:38.010811090 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:38.010864973 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:38.015726089 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:38.378576994 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:38.383506060 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:38.383569002 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:38.388444901 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:38.765954971 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:38.815345049 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:38.938317060 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:38.941677094 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:38.947009087 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:38.953676939 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:38.958602905 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:40.925452948 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:40.930541992 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:40.934715033 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:40.939726114 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:41.309103966 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:41.362698078 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:41.469671965 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:41.472657919 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:41.477639914 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:41.478744030 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:41.483760118 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:42.054117918 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:42.096541882 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:42.218945980 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:42.268488884 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:44.878465891 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:44.883730888 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:44.883799076 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:44.889998913 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:45.260322094 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:45.315416098 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:45.422692060 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:45.428555012 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:45.433590889 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:45.438703060 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:45.443620920 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:49.206661940 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:49.211508036 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:49.211617947 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:49.216401100 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:49.595351934 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:49.644134045 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:49.766201973 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:49.768316984 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:49.773215055 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:49.773293018 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:49.778215885 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:58.581577063 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:58.586674929 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:58.590760946 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:58.595679045 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:58.975090027 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:59.018373966 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:59.186187983 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:59.188107014 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:59.192934036 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:59.192990065 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:59.197747946 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:59.769195080 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:59.774240971 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:49:59.774317026 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:49:59.779139042 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:00.238219976 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:00.284008026 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:00.407408953 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:00.409341097 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:00.414300919 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:00.414423943 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:00.419375896 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:09.144010067 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:09.149085045 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:09.149172068 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:09.154000044 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:09.621819973 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:09.804800034 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:09.810930014 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:09.813867092 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:09.818687916 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:09.818748951 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:09.823658943 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:12.053767920 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:12.101191044 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:12.175441027 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:12.180376053 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:12.180438995 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:12.185364008 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:12.220889091 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:12.408607960 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:12.561434031 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:12.643388987 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:12.852715015 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:12.861283064 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:12.906704903 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:12.909198999 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:12.913960934 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:21.550271988 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:21.555279016 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:21.558290958 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:21.563493013 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:21.926911116 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:21.976279974 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:22.096375942 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:22.100748062 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:22.105743885 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:22.108671904 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:22.113466024 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:30.926712036 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:31.156964064 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:31.157037973 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:31.161874056 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:31.538600922 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:31.643533945 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:31.704562902 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:31.706878901 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:31.711782932 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:31.711924076 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:31.716799021 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:33.105386019 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:33.110327005 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:33.110383034 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:33.115159988 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:33.486033916 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:33.561777115 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:33.657468081 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:33.659552097 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:33.664485931 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:33.664540052 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:33.669491053 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:36.753576040 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:36.758599043 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:36.758797884 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:36.763684034 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:37.209873915 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:37.252785921 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:37.392384052 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:37.394706964 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:37.399599075 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:37.399646044 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:37.404443979 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:42.065666914 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:42.112466097 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:42.236262083 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:42.284818888 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:46.130834103 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:46.135708094 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:46.135885000 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:46.140688896 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:46.238734007 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:46.245189905 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:46.245299101 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:46.251029968 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:46.550568104 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:46.596585989 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:46.720542908 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:46.722465992 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:46.727281094 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:46.727407932 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:46.732263088 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:54.456424952 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:54.461564064 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:54.461839914 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:54.466662884 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:54.926958084 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:54.971575975 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:55.023493052 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:55.025593042 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:55.030502081 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:55.032874107 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:55.037765026 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:57.347207069 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:57.352180004 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:57.352245092 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:57.357120991 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:57.752799988 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:57.799768925 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:57.937283039 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:57.939110041 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:57.943978071 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:50:57.944082022 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:50:57.949033022 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:00.722115040 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:51:00.727170944 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:00.727273941 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:51:00.732199907 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:01.118979931 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:01.159071922 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:51:01.285773039 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:01.288031101 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:51:01.292886019 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:01.292949915 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:51:01.297805071 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:02.065896034 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:51:02.070868969 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:02.073880911 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:51:02.078860044 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:02.454544067 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:02.503844023 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:51:02.660100937 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:02.669609070 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:51:02.674904108 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:02.674990892 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:51:02.679944992 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:10.456566095 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:51:10.461494923 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:10.464818001 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:51:10.469779015 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:10.838521957 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:10.893471003 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:51:11.001883984 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:11.002942085 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:51:11.007790089 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:11.007877111 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:51:11.012676954 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:12.089430094 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:12.143470049 CEST497127784192.168.2.6172.94.108.143
                                                                                        Oct 1, 2024 15:51:12.250957966 CEST778449712172.94.108.143192.168.2.6
                                                                                        Oct 1, 2024 15:51:12.299710035 CEST497127784192.168.2.6172.94.108.143

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Oct 1, 2024 15:47:07.892940998 CEST5176153192.168.2.61.1.1.1
                                                                                        Oct 1, 2024 15:47:08.877921104 CEST5176153192.168.2.61.1.1.1
                                                                                        Oct 1, 2024 15:47:09.893455982 CEST5176153192.168.2.61.1.1.1
                                                                                        Oct 1, 2024 15:47:11.910978079 CEST53517611.1.1.1192.168.2.6
                                                                                        Oct 1, 2024 15:47:11.910998106 CEST53517611.1.1.1192.168.2.6
                                                                                        Oct 1, 2024 15:47:11.911009073 CEST53517611.1.1.1192.168.2.6
                                                                                        Oct 1, 2024 15:47:11.935072899 CEST5176153192.168.2.61.1.1.1
                                                                                        Oct 1, 2024 15:47:11.942060947 CEST53517611.1.1.1192.168.2.6
                                                                                        Oct 1, 2024 15:47:17.144599915 CEST5492253192.168.2.61.1.1.1
                                                                                        Oct 1, 2024 15:47:18.080391884 CEST53549221.1.1.1192.168.2.6

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Oct 1, 2024 15:47:07.892940998 CEST192.168.2.61.1.1.10xd9b7Standard query (0)enero2022async.duckdns.orgA (IP address)IN (0x0001)false
                                                                                        Oct 1, 2024 15:47:08.877921104 CEST192.168.2.61.1.1.10xd9b7Standard query (0)enero2022async.duckdns.orgA (IP address)IN (0x0001)false
                                                                                        Oct 1, 2024 15:47:09.893455982 CEST192.168.2.61.1.1.10xd9b7Standard query (0)enero2022async.duckdns.orgA (IP address)IN (0x0001)false
                                                                                        Oct 1, 2024 15:47:11.935072899 CEST192.168.2.61.1.1.10xd9b7Standard query (0)enero2022async.duckdns.orgA (IP address)IN (0x0001)false
                                                                                        Oct 1, 2024 15:47:17.144599915 CEST192.168.2.61.1.1.10x9c9Standard query (0)enero2022async.duckdns.orgA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Oct 1, 2024 15:47:11.910978079 CEST1.1.1.1192.168.2.60xd9b7Server failure (2)enero2022async.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                        Oct 1, 2024 15:47:11.910998106 CEST1.1.1.1192.168.2.60xd9b7Server failure (2)enero2022async.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                        Oct 1, 2024 15:47:11.911009073 CEST1.1.1.1192.168.2.60xd9b7Server failure (2)enero2022async.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                        Oct 1, 2024 15:47:11.942060947 CEST1.1.1.1192.168.2.60xd9b7Server failure (2)enero2022async.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                        Oct 1, 2024 15:47:18.080391884 CEST1.1.1.1192.168.2.60x9c9No error (0)enero2022async.duckdns.org172.94.108.143A (IP address)IN (0x0001)false
                                                                                        Oct 1, 2024 15:47:19.480496883 CEST1.1.1.1192.168.2.60x8599No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                        Oct 1, 2024 15:47:19.480496883 CEST1.1.1.1192.168.2.60x8599No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                        Oct 1, 2024 15:48:20.867841959 CEST1.1.1.1192.168.2.60xad22No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                        Oct 1, 2024 15:48:20.867841959 CEST1.1.1.1192.168.2.60xad22No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.34A (IP address)IN (0x0001)false
                                                                                        Oct 1, 2024 15:48:20.867841959 CEST1.1.1.1192.168.2.60xad22No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.18A (IP address)IN (0x0001)false

                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:09:47:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Users\user\Desktop\bWrRSlOThY.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\bWrRSlOThY.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:189'952 bytes
                                                                                        MD5 hash:A2CE48432527C70571D0851C190DBC10
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000000.00000002.2592455877.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:2
                                                                                        Start time:09:47:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe"
                                                                                        Imagebase:0xfe0000
                                                                                        File size:148'480 bytes
                                                                                        MD5 hash:31DFB639DA08EFDBE7FF7E289C199ECE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.2164810535.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000002.00000002.2164810535.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000002.00000002.2164810535.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:09:47:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe"
                                                                                        Imagebase:0xa60000
                                                                                        File size:148'480 bytes
                                                                                        MD5 hash:31DFB639DA08EFDBE7FF7E289C199ECE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.4617709059.000000000120E000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.4617709059.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.4619895119.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.4619895119.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Reputation:low
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:4
                                                                                        Start time:09:47:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:09:47:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:09:47:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:7
                                                                                        Start time:09:47:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:8
                                                                                        Start time:09:47:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                                                                                        Imagebase:0x560000
                                                                                        File size:187'904 bytes
                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:9
                                                                                        Start time:09:47:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\3582-490\bWrRSlOThY.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:10
                                                                                        Start time:09:47:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:16
                                                                                        Start time:09:48:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                                                                                        Imagebase:0x400000
                                                                                        File size:189'952 bytes
                                                                                        MD5 hash:A2CE48432527C70571D0851C190DBC10
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:17
                                                                                        Start time:09:48:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\svchost.com
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\svchost.com" "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE"
                                                                                        Imagebase:0x400000
                                                                                        File size:41'472 bytes
                                                                                        MD5 hash:0D5E5847E431EF73C3DF72461943B8BF
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Windows\svchost.com, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Windows\svchost.com, Author: ditekSHen
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:18
                                                                                        Start time:09:48:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE
                                                                                        Imagebase:0x390000
                                                                                        File size:148'480 bytes
                                                                                        MD5 hash:31DFB639DA08EFDBE7FF7E289C199ECE
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000012.00000002.2769868231.0000000002992000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000012.00000002.2769868231.0000000002992000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000012.00000002.2769868231.0000000002992000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:19
                                                                                        Start time:09:48:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Users\user\AppData\Local\Temp\3582-490\RemoteDestopManagerx86.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE"
                                                                                        Imagebase:0x4a0000
                                                                                        File size:148'480 bytes
                                                                                        MD5 hash:31DFB639DA08EFDBE7FF7E289C199ECE
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000013.00000002.2815936645.0000000004DF8000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000013.00000002.2813685167.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000013.00000002.2813685167.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000013.00000002.2813685167.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000013.00000002.2814476665.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:20
                                                                                        Start time:09:48:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:21
                                                                                        Start time:09:48:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:22
                                                                                        Start time:09:48:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:23
                                                                                        Start time:09:48:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:24
                                                                                        Start time:09:48:03
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                                                                                        Imagebase:0x560000
                                                                                        File size:187'904 bytes
                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:25
                                                                                        Start time:09:48:03
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\3582-490\REMOTE~1.EXE" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:26
                                                                                        Start time:09:48:03
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:29
                                                                                        Start time:09:49:00
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                                                                                        Imagebase:0x810000
                                                                                        File size:148'480 bytes
                                                                                        MD5 hash:31DFB639DA08EFDBE7FF7E289C199ECE
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000001D.00000002.3361345490.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 0000001D.00000002.3361345490.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000001D.00000002.3361345490.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:30
                                                                                        Start time:09:49:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                                                                                        Imagebase:0x3a0000
                                                                                        File size:148'480 bytes
                                                                                        MD5 hash:31DFB639DA08EFDBE7FF7E289C199ECE
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001E.00000002.3408804926.0000000004CC8000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001E.00000002.3398649421.0000000002681000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:31
                                                                                        Start time:09:49:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:32
                                                                                        Start time:09:49:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:33
                                                                                        Start time:09:49:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:34
                                                                                        Start time:09:49:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:35
                                                                                        Start time:09:49:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                                                                                        Imagebase:0x560000
                                                                                        File size:187'904 bytes
                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:36
                                                                                        Start time:09:49:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd.exe" /C copy "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:37
                                                                                        Start time:09:49:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:38
                                                                                        Start time:09:50:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                                                                                        Imagebase:0xdb0000
                                                                                        File size:148'480 bytes
                                                                                        MD5 hash:31DFB639DA08EFDBE7FF7E289C199ECE
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:39
                                                                                        Start time:09:50:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                                                                                        Imagebase:0x7d0000
                                                                                        File size:148'480 bytes
                                                                                        MD5 hash:31DFB639DA08EFDBE7FF7E289C199ECE
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000027.00000002.4004536747.0000000000FBA000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000027.00000002.4005507938.0000000002AFF000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:40
                                                                                        Start time:09:50:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:41
                                                                                        Start time:09:50:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:42
                                                                                        Start time:09:50:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:43
                                                                                        Start time:09:50:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:44
                                                                                        Start time:09:50:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                                                                                        Imagebase:0x560000
                                                                                        File size:187'904 bytes
                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:45
                                                                                        Start time:09:50:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd.exe" /C copy "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:46
                                                                                        Start time:09:50:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:47
                                                                                        Start time:09:51:00
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                                                                                        Imagebase:0x9d0000
                                                                                        File size:148'480 bytes
                                                                                        MD5 hash:31DFB639DA08EFDBE7FF7E289C199ECE
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:48
                                                                                        Start time:09:51:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                                                                                        Imagebase:0x380000
                                                                                        File size:148'480 bytes
                                                                                        MD5 hash:31DFB639DA08EFDBE7FF7E289C199ECE
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000030.00000002.4609082147.0000000000866000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000030.00000002.4611188210.000000000272F000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:49
                                                                                        Start time:09:51:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86"
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:50
                                                                                        Start time:09:51:01
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:51
                                                                                        Start time:09:51:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:52
                                                                                        Start time:09:51:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:53
                                                                                        Start time:09:51:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe'" /f
                                                                                        Imagebase:0x560000
                                                                                        File size:187'904 bytes
                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:54
                                                                                        Start time:09:51:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd.exe" /C copy "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe" "C:\Users\user\AppData\Roaming\RemoteDestopManagerx86\RemoteDestopManagerx86.exe"
                                                                                        Imagebase:0x1c0000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:55
                                                                                        Start time:09:51:02
                                                                                        Start date:01/10/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff66e660000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:26.9%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:4.2%
                                                                                          Total number of Nodes:71
                                                                                          Total number of Limit Nodes:7
                                                                                          execution_graph 3928 3270848 3929 3270849 3928->3929 3930 3270858 3929->3930 3932 327261d 3929->3932 3933 3272630 3932->3933 3938 3274fab 3933->3938 3942 32750db 3933->3942 3946 3274fb8 3933->3946 3934 3272669 3934->3930 3939 3274fc9 3938->3939 3939->3934 3940 32750a2 3939->3940 3950 3276786 3939->3950 3940->3934 3943 32750f4 3942->3943 3943->3934 3944 3275107 3943->3944 3945 3276786 12 API calls 3943->3945 3944->3934 3945->3943 3947 3274fc9 3946->3947 3947->3934 3948 32750a2 3947->3948 3949 3276786 12 API calls 3947->3949 3948->3934 3949->3947 3951 32767ad 3950->3951 3952 327687a 3951->3952 3980 3276b54 3951->3980 3984 3276b60 3951->3984 3954 3276ab8 3952->3954 3988 3276f30 3952->3988 3992 3276f38 3952->3992 3953 32768d8 3953->3954 3996 3276ff0 3953->3996 4000 3276ff8 3953->4000 3954->3939 3955 327690e 4003 32770b0 3955->4003 4007 32770b8 3955->4007 3956 327694d 3956->3954 4010 3277160 3956->4010 4014 3277158 3956->4014 3957 3276a38 3968 3277160 WriteProcessMemory 3957->3968 3969 3277158 WriteProcessMemory 3957->3969 3958 32769a1 3958->3957 3970 3277160 WriteProcessMemory 3958->3970 3971 3277158 WriteProcessMemory 3958->3971 3959 3276a61 3959->3954 3974 3276f30 Wow64SetThreadContext 3959->3974 3975 3276f38 Wow64SetThreadContext 3959->3975 3960 3276aa5 4018 3277238 3960->4018 4021 3277230 3960->4021 3961 3276ab6 3961->3939 3968->3959 3969->3959 3970->3958 3971->3958 3974->3960 3975->3960 3981 3276bed CreateProcessAsUserA 3980->3981 3983 3276e08 3981->3983 3985 3276bed CreateProcessAsUserA 3984->3985 3987 3276e08 3985->3987 3989 3276f38 Wow64SetThreadContext 3988->3989 3991 3276fbe 3989->3991 3991->3953 3993 3276f80 Wow64SetThreadContext 3992->3993 3995 3276fbe 3993->3995 3995->3953 3997 3276ff8 ReadProcessMemory 3996->3997 3999 327707d 3997->3999 3999->3955 4001 3277040 ReadProcessMemory 4000->4001 4002 327707d 4001->4002 4002->3955 4004 32770b8 VirtualAllocEx 4003->4004 4006 3277132 4004->4006 4006->3956 4008 32770fb VirtualAllocEx 4007->4008 4009 3277132 4008->4009 4009->3956 4011 32771ab WriteProcessMemory 4010->4011 4013 32771fc 4011->4013 4013->3958 4015 32771ab WriteProcessMemory 4014->4015 4017 32771fc 4015->4017 4017->3958 4019 3277279 ResumeThread 4018->4019 4020 32772a6 4019->4020 4020->3961 4022 3277279 ResumeThread 4021->4022 4023 32772a6 4022->4023 4023->3961

                                                                                          Executed Functions

                                                                                          Function 03276B60 Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 60 3276b60-3276bf9 62 3276c4d-3276c6f 60->62 63 3276bfb-3276c20 60->63 66 3276cc6-3276cf6 62->66 67 3276c71-3276c99 62->67 63->62 68 3276c22-3276c24 63->68 77 3276d4a-3276e06 CreateProcessAsUserA 66->77 78 3276cf8-3276d1d 66->78 67->66 75 3276c9b-3276c9d 67->75 69 3276c47-3276c4a 68->69 70 3276c26-3276c30 68->70 69->62 72 3276c34-3276c43 70->72 73 3276c32 70->73 72->72 76 3276c45 72->76 73->72 79 3276cc0-3276cc3 75->79 80 3276c9f-3276ca9 75->80 76->69 92 3276e0f-3276e83 77->92 93 3276e08-3276e0e 77->93 78->77 85 3276d1f-3276d21 78->85 79->66 82 3276cad-3276cbc 80->82 83 3276cab 80->83 82->82 86 3276cbe 82->86 83->82 87 3276d44-3276d47 85->87 88 3276d23-3276d2d 85->88 86->79 87->77 90 3276d31-3276d40 88->90 91 3276d2f 88->91 90->90 94 3276d42 90->94 91->90 102 3276e85-3276e89 92->102 103 3276e93-3276e97 92->103 93->92 94->87 102->103 104 3276e8b-3276e8e call 3275fc4 102->104 105 3276ea7-3276eab 103->105 106 3276e99-3276e9d 103->106 104->103 108 3276ead-3276eb1 105->108 109 3276ebb-3276ebf 105->109 106->105 107 3276e9f-3276ea2 call 3275fc4 106->107 107->105 108->109 112 3276eb3-3276eb6 call 3275fc4 108->112 113 3276ed1-3276ed8 109->113 114 3276ec1-3276ec7 109->114 112->109 116 3276eef 113->116 117 3276eda-3276ee9 113->117 114->113 119 3276ef0 116->119 117->116 119->119
                                                                                          APIs
                                                                                          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 03276DF3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.2164666737.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_3270000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcessUser
                                                                                          • String ID:
                                                                                          • API String ID: 2217836671-0
                                                                                          • Opcode ID: c863b9c0280dd68200ddc82b877a104f4ec5db5f4e3cdd77dd964f5da2565878
                                                                                          • Instruction ID: ed0b82fe6b59e1f6114d5625da2e6ff9194d8231ed8afe3647664d9bd083d8cc
                                                                                          • Opcode Fuzzy Hash: c863b9c0280dd68200ddc82b877a104f4ec5db5f4e3cdd77dd964f5da2565878
                                                                                          • Instruction Fuzzy Hash: ABA17C71E2061A9FEB14CF69C841BDDBBF6FF48304F1481A9E818A7290DB749985CF91
                                                                                          Function 03276B54 Relevance: 1.8, APIs: 1, Instructions: 263processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 3276b54-3276bf9 2 3276c4d-3276c6f 0->2 3 3276bfb-3276c20 0->3 6 3276cc6-3276cf6 2->6 7 3276c71-3276c99 2->7 3->2 8 3276c22-3276c24 3->8 17 3276d4a-3276e06 CreateProcessAsUserA 6->17 18 3276cf8-3276d1d 6->18 7->6 15 3276c9b-3276c9d 7->15 9 3276c47-3276c4a 8->9 10 3276c26-3276c30 8->10 9->2 12 3276c34-3276c43 10->12 13 3276c32 10->13 12->12 16 3276c45 12->16 13->12 19 3276cc0-3276cc3 15->19 20 3276c9f-3276ca9 15->20 16->9 32 3276e0f-3276e83 17->32 33 3276e08-3276e0e 17->33 18->17 25 3276d1f-3276d21 18->25 19->6 22 3276cad-3276cbc 20->22 23 3276cab 20->23 22->22 26 3276cbe 22->26 23->22 27 3276d44-3276d47 25->27 28 3276d23-3276d2d 25->28 26->19 27->17 30 3276d31-3276d40 28->30 31 3276d2f 28->31 30->30 34 3276d42 30->34 31->30 42 3276e85-3276e89 32->42 43 3276e93-3276e97 32->43 33->32 34->27 42->43 44 3276e8b-3276e8e call 3275fc4 42->44 45 3276ea7-3276eab 43->45 46 3276e99-3276e9d 43->46 44->43 48 3276ead-3276eb1 45->48 49 3276ebb-3276ebf 45->49 46->45 47 3276e9f-3276ea2 call 3275fc4 46->47 47->45 48->49 52 3276eb3-3276eb6 call 3275fc4 48->52 53 3276ed1-3276ed8 49->53 54 3276ec1-3276ec7 49->54 52->49 56 3276eef 53->56 57 3276eda-3276ee9 53->57 54->53 59 3276ef0 56->59 57->56 59->59
                                                                                          APIs
                                                                                          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 03276DF3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.2164666737.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_3270000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcessUser
                                                                                          • String ID:
                                                                                          • API String ID: 2217836671-0
                                                                                          • Opcode ID: 6fba3b2459a699e3ab2d5acf84864c63a0836dbd1e6d7e779f10b4eba4072294
                                                                                          • Instruction ID: 4577a53b38a442858a91ccd2618a05103de9a87e9c46707e4c30993b383c1c1d
                                                                                          • Opcode Fuzzy Hash: 6fba3b2459a699e3ab2d5acf84864c63a0836dbd1e6d7e779f10b4eba4072294
                                                                                          • Instruction Fuzzy Hash: 31A17D71E1061A8FEB14CF69C841BDDBBF6FF48304F1481A9E818A7290DB749985CF91
                                                                                          Function 03277160 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 236 3277160-32771b1 238 32771b3-32771bf 236->238 239 32771c1-32771fa WriteProcessMemory 236->239 238->239 240 3277203-3277224 239->240 241 32771fc-3277202 239->241 241->240
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 032771ED
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.2164666737.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_3270000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: cf04b375147f332d655e7fec4e82bff4305fcab50e1b1a2a74222d11c5b1de65
                                                                                          • Instruction ID: 10c7be2d083268e648310d2dfe8f265b05f96c76ceb29937ffc1bce1535501f0
                                                                                          • Opcode Fuzzy Hash: cf04b375147f332d655e7fec4e82bff4305fcab50e1b1a2a74222d11c5b1de65
                                                                                          • Instruction Fuzzy Hash: A321E2B1910349DFDB10CF9AC885BEEFBF4FB48310F10842AE918A7251D378A954CBA4
                                                                                          Function 03277158 Relevance: 1.6, APIs: 1, Instructions: 64injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 243 3277158-32771b1 245 32771b3-32771bf 243->245 246 32771c1-32771fa WriteProcessMemory 243->246 245->246 247 3277203-3277224 246->247 248 32771fc-3277202 246->248 248->247
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 032771ED
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.2164666737.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_3270000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: eea2b293065a668ebdb20b14bc3d52b7e9977551300bd9d9919565726e85e297
                                                                                          • Instruction ID: fd4cca50f1def48c196705022fb1e2dee2534f8cf21b8eade5a048e20e9d0923
                                                                                          • Opcode Fuzzy Hash: eea2b293065a668ebdb20b14bc3d52b7e9977551300bd9d9919565726e85e297
                                                                                          • Instruction Fuzzy Hash: CB21F2B59103499FDB00CFA9C985BEEBBF4FB48310F10842AE918A3250D378A944CFA4
                                                                                          Function 03276F30 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 250 3276f30-3276f84 253 3276f86-3276f8e 250->253 254 3276f90-3276fbc Wow64SetThreadContext 250->254 253->254 255 3276fc5-3276fe6 254->255 256 3276fbe-3276fc4 254->256 256->255
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 03276FAF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.2164666737.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_3270000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: 85f933eaa0efa596301755597ab439a2af055f6ce884f228c3e2fe11bc61b61d
                                                                                          • Instruction ID: 0b8396065ace2d743e63043b5360012ce7d6580ca36222fe2660a5421d2d915c
                                                                                          • Opcode Fuzzy Hash: 85f933eaa0efa596301755597ab439a2af055f6ce884f228c3e2fe11bc61b61d
                                                                                          • Instruction Fuzzy Hash: 292138B1D1065A9FDB00CF9AC4857EEFBF4BB48710F148129E418A3340D778A954CFA5
                                                                                          Function 03276FF0 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 258 3276ff0-327707b ReadProcessMemory 261 3277084-32770a5 258->261 262 327707d-3277083 258->262 262->261
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0327706E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.2164666737.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_3270000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: 2b190c3ee10919beff323fa9a1ff2f9e535581ea93ab017673f8428d5965391b
                                                                                          • Instruction ID: b13909157c171601cca907bcc79e0866d09d82ccb38344b792b4890ffa06a27f
                                                                                          • Opcode Fuzzy Hash: 2b190c3ee10919beff323fa9a1ff2f9e535581ea93ab017673f8428d5965391b
                                                                                          • Instruction Fuzzy Hash: 8021F4B69002499FDB10CF9AC884BDEFBF4FF48320F148029E958A7651D378A954CFA5
                                                                                          Function 03276F38 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 264 3276f38-3276f84 266 3276f86-3276f8e 264->266 267 3276f90-3276fbc Wow64SetThreadContext 264->267 266->267 268 3276fc5-3276fe6 267->268 269 3276fbe-3276fc4 267->269 269->268
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 03276FAF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.2164666737.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_3270000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: e7f9e8eb6c77cc3b1fe7e4204fa66840a5d3ff90572651588b93a93da9670797
                                                                                          • Instruction ID: dc51b52be2db82f672dee5c9d10721f6e8411dadb88b0a675d14999bbddb0b7e
                                                                                          • Opcode Fuzzy Hash: e7f9e8eb6c77cc3b1fe7e4204fa66840a5d3ff90572651588b93a93da9670797
                                                                                          • Instruction Fuzzy Hash: 392106B1D1061A9FDB00CF9AC8457EEFBF4BB48710F14812AE418A3340D778A954CFA5
                                                                                          Function 03276FF8 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 271 3276ff8-327707b ReadProcessMemory 273 3277084-32770a5 271->273 274 327707d-3277083 271->274 274->273
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0327706E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.2164666737.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_3270000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: abe1311b8e81f577b62c808304793c49fbe9b844756557f0aea3475eb809135a
                                                                                          • Instruction ID: 4005af2d2757e95cd2f3d18dc1c591a8a0f9ad39e139a786fe63a7b623e0fa00
                                                                                          • Opcode Fuzzy Hash: abe1311b8e81f577b62c808304793c49fbe9b844756557f0aea3475eb809135a
                                                                                          • Instruction Fuzzy Hash: 7B2103B1900249DFDB10CF9AC884BDEFBF4FB48320F108029E958A7250D378A944CFA5
                                                                                          Function 032770B0 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 276 32770b0-3277130 VirtualAllocEx 279 3277132-3277138 276->279 280 3277139-327714d 276->280 279->280
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03277123
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.2164666737.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_3270000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: aa632f7fac069c1a69e19f85bd110c5d069588d0746ce999ff45833d0a7725ae
                                                                                          • Instruction ID: 2f9685bd74e42e92982a940a415311d6df66a27395d600ce25b5b076dbd837d7
                                                                                          • Opcode Fuzzy Hash: aa632f7fac069c1a69e19f85bd110c5d069588d0746ce999ff45833d0a7725ae
                                                                                          • Instruction Fuzzy Hash: AF1102B59002499FDB10CF9AD884BDEFFF4FB48720F248419E568A7250C335A944CFA5
                                                                                          Function 032770B8 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 282 32770b8-3277130 VirtualAllocEx 284 3277132-3277138 282->284 285 3277139-327714d 282->285 284->285
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03277123
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.2164666737.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_3270000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 6a53bf8ead8163129860302ddfbe3c00b754a4e02ea87a596953a27bd1428b34
                                                                                          • Instruction ID: daa3afde64169aa0b069d644d5eb7e48599521ef22e078899ae9bb3103fedf86
                                                                                          • Opcode Fuzzy Hash: 6a53bf8ead8163129860302ddfbe3c00b754a4e02ea87a596953a27bd1428b34
                                                                                          • Instruction Fuzzy Hash: 5911E0B5900649DFDB10CF9AD884BDEFBF4FB88724F208419E518A7250C375A954CFA5
                                                                                          Function 03277238 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 287 3277238-32772a4 ResumeThread 289 32772a6-32772ac 287->289 290 32772ad-32772c1 287->290 289->290
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.2164666737.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_3270000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: 8dc8b10772e1cdddab2b7495de47eb3669be2a91ca98ba1582226b522bbbe348
                                                                                          • Instruction ID: f8da3b66a1c84d410dd00fdd1d146ca5d6c75e6e60402548c27d43b42a0cb0d8
                                                                                          • Opcode Fuzzy Hash: 8dc8b10772e1cdddab2b7495de47eb3669be2a91ca98ba1582226b522bbbe348
                                                                                          • Instruction Fuzzy Hash: 531112B1800349CFDB10CF9AD444BDEFBF8EB88324F20841AD558A7250C374A944CFA5
                                                                                          Function 03277230 Relevance: 1.5, APIs: 1, Instructions: 42threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 292 3277230-32772a4 ResumeThread 294 32772a6-32772ac 292->294 295 32772ad-32772c1 292->295 294->295
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.2164666737.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_3270000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: 6a460a447cb8e1ae936de0c3fb03074a062c824b79b8760f6dbc7e0848ec890b
                                                                                          • Instruction ID: 3aee505ddc62aad007b47db54fc4b008c801aac085dda60b8d57b64d583f8670
                                                                                          • Opcode Fuzzy Hash: 6a460a447cb8e1ae936de0c3fb03074a062c824b79b8760f6dbc7e0848ec890b
                                                                                          • Instruction Fuzzy Hash: 181100B5800349CFEB10CF9AD545BEEFBF4BB48324F24845AD958A7250C378A944CFA9

                                                                                          Execution Graph

                                                                                          Execution Coverage:7.3%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:48
                                                                                          Total number of Limit Nodes:2
                                                                                          execution_graph 16019 1548360 16020 154838e 16019->16020 16023 154733c 16020->16023 16022 15483ae 16022->16022 16024 1547347 16023->16024 16025 1548c4c 16024->16025 16028 154a8d0 16024->16028 16033 154a8e0 16024->16033 16025->16022 16029 154a901 16028->16029 16030 154a925 16029->16030 16038 154aa80 16029->16038 16042 154aa90 16029->16042 16030->16025 16034 154a901 16033->16034 16035 154a925 16034->16035 16036 154aa90 2 API calls 16034->16036 16037 154aa80 2 API calls 16034->16037 16035->16025 16036->16035 16037->16035 16039 154aa90 16038->16039 16041 154aad6 16039->16041 16046 15492fc 16039->16046 16041->16030 16043 154aa9d 16042->16043 16044 154aad6 16043->16044 16045 15492fc 2 API calls 16043->16045 16044->16030 16045->16044 16047 1549307 16046->16047 16049 154ab48 16047->16049 16050 154936c 16047->16050 16049->16049 16051 1549377 16050->16051 16054 154937c 16051->16054 16053 154abb7 16053->16049 16055 1549387 16054->16055 16060 154b9f4 16055->16060 16057 154c138 16057->16053 16058 154a8e0 2 API calls 16058->16057 16059 154bf10 16059->16057 16059->16058 16061 154b9ff 16060->16061 16062 154d31a 16061->16062 16065 154d368 16061->16065 16069 154d378 16061->16069 16062->16059 16066 154d378 16065->16066 16067 154d3c6 KiUserCallbackDispatcher 16066->16067 16068 154d3f0 16066->16068 16067->16068 16068->16062 16070 154d3bb 16069->16070 16071 154d3c6 KiUserCallbackDispatcher 16070->16071 16072 154d3f0 16070->16072 16071->16072 16072->16062 16073 1542308 16074 154234c SetWindowsHookExW 16073->16074 16076 1542392 16074->16076 16077 1547688 DuplicateHandle 16078 154771e 16077->16078

                                                                                          Executed Functions

                                                                                          Function 07580040 Relevance: 1.6, Instructions: 1574COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4631743387.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7580000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9a39d547a2f26f59a28b9e8d4d192accb623da1f6472a3c7992f65c7f4575d9a
                                                                                          • Instruction ID: a068dd230bc73438e5b24553b923eb7301ecf7a76d27bedfdd25bda2aba2ec11
                                                                                          • Opcode Fuzzy Hash: 9a39d547a2f26f59a28b9e8d4d192accb623da1f6472a3c7992f65c7f4575d9a
                                                                                          • Instruction Fuzzy Hash: E0D23835701604CFDB99FB34D1A866D77B3BBCA204B60496ED41A9B394EF35EC428B81
                                                                                          Function 01547680 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 684 1547680-154771c DuplicateHandle 685 1547725-1547742 684->685 686 154771e-1547724 684->686 686->685
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0154770F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4619429142.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_1540000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: ea32e9008364ec6439b061498a0386d739807f9a8d55d59d5a74b54233eba59a
                                                                                          • Instruction ID: 9b66cc822c9f4de5ac44e1fcee155525265682dffe137356fcccbd3326d1b07d
                                                                                          • Opcode Fuzzy Hash: ea32e9008364ec6439b061498a0386d739807f9a8d55d59d5a74b54233eba59a
                                                                                          • Instruction Fuzzy Hash: 7621E0B5900249EFDB10CFA9D984ADEBBF4FB48314F14841AE958A7311D378AA54CF64
                                                                                          Function 01547688 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 689 1547688-154771c DuplicateHandle 690 1547725-1547742 689->690 691 154771e-1547724 689->691 691->690
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0154770F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4619429142.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_1540000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: 14c2c44f6e6a50479bf9c9ba1906034cfc0e67c7ec5c09c81aecc67bed7130d5
                                                                                          • Instruction ID: 7b3a149c8185afe02302b2981a81d9860f83c9e9f3f8409b3dad8e68625eb2d1
                                                                                          • Opcode Fuzzy Hash: 14c2c44f6e6a50479bf9c9ba1906034cfc0e67c7ec5c09c81aecc67bed7130d5
                                                                                          • Instruction Fuzzy Hash: DA21C4B59002499FDB10CFAAD984ADEBFF4FB48314F14841AE914A7350D374A954CFA5
                                                                                          Function 01542303 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 694 1542303-1542352 697 1542354 694->697 698 154235e-1542390 SetWindowsHookExW 694->698 701 154235c 697->701 699 1542392-1542398 698->699 700 1542399-15423be 698->700 699->700 701->698
                                                                                          APIs
                                                                                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01542383
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4619429142.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_1540000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: HookWindows
                                                                                          • String ID:
                                                                                          • API String ID: 2559412058-0
                                                                                          • Opcode ID: 98577830e1f2889e6f3f57873e14037b7a8febc6eb4155ab4c194f84d2afde8b
                                                                                          • Instruction ID: d233575c97640942dd8008fb83fa006e645098d712ff99e46e62ef1b7a276321
                                                                                          • Opcode Fuzzy Hash: 98577830e1f2889e6f3f57873e14037b7a8febc6eb4155ab4c194f84d2afde8b
                                                                                          • Instruction Fuzzy Hash: B52134B19002198FDB14DFA9D844BDEBBF5BF88314F148419E418AB250C775A940CFA4
                                                                                          Function 01542308 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 705 1542308-1542352 707 1542354 705->707 708 154235e-1542390 SetWindowsHookExW 705->708 711 154235c 707->711 709 1542392-1542398 708->709 710 1542399-15423be 708->710 709->710 711->708
                                                                                          APIs
                                                                                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01542383
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4619429142.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_1540000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: HookWindows
                                                                                          • String ID:
                                                                                          • API String ID: 2559412058-0
                                                                                          • Opcode ID: bdd1a1117a719f3fcaa5156e42640ee56fe20089b1e57e0b920f98ebbe22e3f1
                                                                                          • Instruction ID: bb3e1fd474ff2259025c7c4188c981d12bbc126cfb5498658a6daebc0c4da4a8
                                                                                          • Opcode Fuzzy Hash: bdd1a1117a719f3fcaa5156e42640ee56fe20089b1e57e0b920f98ebbe22e3f1
                                                                                          • Instruction Fuzzy Hash: 942115B5D002198FDB14DFA9D844BDEFBF5BF88314F148419E419AB250C775A944CFA4
                                                                                          Function 0154D368 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 715 154d368-154d3c4 718 154d3c6-154d3ee KiUserCallbackDispatcher 715->718 719 154d412-154d42b 715->719 720 154d3f7-154d40b 718->720 721 154d3f0-154d3f6 718->721 720->719 721->720
                                                                                          APIs
                                                                                          • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0154D3DD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4619429142.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_1540000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: CallbackDispatcherUser
                                                                                          • String ID:
                                                                                          • API String ID: 2492992576-0
                                                                                          • Opcode ID: c2de4609b4c571a49cf93a7576befb7dab63f01e20c6197fc6f047fd96259d3c
                                                                                          • Instruction ID: 738181bf692769e1273df988ecbcf80848fedd3d7bff09cca9c670b78ddd806e
                                                                                          • Opcode Fuzzy Hash: c2de4609b4c571a49cf93a7576befb7dab63f01e20c6197fc6f047fd96259d3c
                                                                                          • Instruction Fuzzy Hash: 9111CD70904389CEDB11CF99D1093EEBFF4AF05328F148099E888A7382C7795604CBA5
                                                                                          Function 0154D378 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 723 154d378-154d3c4 725 154d3c6-154d3ee KiUserCallbackDispatcher 723->725 726 154d412-154d42b 723->726 727 154d3f7-154d40b 725->727 728 154d3f0-154d3f6 725->728 727->726 728->727
                                                                                          APIs
                                                                                          • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0154D3DD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4619429142.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_1540000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID: CallbackDispatcherUser
                                                                                          • String ID:
                                                                                          • API String ID: 2492992576-0
                                                                                          • Opcode ID: c28cf5d2822aeff6aff67dd09ea97d7863c950a3895a782f6ab68da7bc2214a4
                                                                                          • Instruction ID: d2669df57b6ab15af2047ec4654c2774c24c52bb0b38197517b602f01c58edd5
                                                                                          • Opcode Fuzzy Hash: c28cf5d2822aeff6aff67dd09ea97d7863c950a3895a782f6ab68da7bc2214a4
                                                                                          • Instruction Fuzzy Hash: CD118BB1914389CFDB11CF99D1093EEBFF4AF09328F108099E598A7382C7799604CBA5
                                                                                          Function 07580006 Relevance: .1, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4631743387.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7580000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d230c57a6a4ba176cf4e5c3d71b535f7543e9b150cc5fc772536e4bccf11471d
                                                                                          • Instruction ID: 08f2cefacee9e2cc1bb9c1e757134f8d7584e8d997f60c9418723bed70330c68
                                                                                          • Opcode Fuzzy Hash: d230c57a6a4ba176cf4e5c3d71b535f7543e9b150cc5fc772536e4bccf11471d
                                                                                          • Instruction Fuzzy Hash: 01313671609389CFC766A734D8542AD7FF6EF86260B5408EBD009E7391EA358C4AC782
                                                                                          Function 0116D0FC Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4617676976.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_116d000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 44a1de6fd520e218847075b2acd5a89def632e639caf8fecb01f47d2466cb271
                                                                                          • Instruction ID: 707d6c9b099bcaa0a81f2ad4473f6e55ae976ebae0cf13d3ad34629d7432a169
                                                                                          • Opcode Fuzzy Hash: 44a1de6fd520e218847075b2acd5a89def632e639caf8fecb01f47d2466cb271
                                                                                          • Instruction Fuzzy Hash: 23212671604204EFDF09DF54E9C0B26BBA9FB88314F24C56DD9494B292C3BBD466CB62
                                                                                          Function 0116D0F7 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4617676976.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_116d000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                                                          • Instruction ID: 8d2f7bbc8698f21f2531a230054182fd4f96d851a30b260614546936d354a067
                                                                                          • Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                                                          • Instruction Fuzzy Hash: 0E11BB75604284CFDB0ACF54E9C4B15BBA1FB84214F28C6A9DC494B256C37BD45ACB62
                                                                                          Function 07581939 Relevance: .1, Instructions: 52COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4631743387.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7580000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 84f20a1720144ce770de22e7a29bba9413ad9dd39d4a04a1592aeb9836789615
                                                                                          • Instruction ID: b8c71c62e47ac539b4e99dd2437b9a538c4dfe6473df2e4bd0c508ded35ba721
                                                                                          • Opcode Fuzzy Hash: 84f20a1720144ce770de22e7a29bba9413ad9dd39d4a04a1592aeb9836789615
                                                                                          • Instruction Fuzzy Hash: CF118E75B105188FCB449B68C559BAE7BF2AF88710F21405AE906EB3A0CF719D06CB91
                                                                                          Function 07581948 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4631743387.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7580000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 51ece2cfcdc16cf1ac54b9ecdbfaf3e102e2021a8e01ca2abe73bf622473bba3
                                                                                          • Instruction ID: 94f64143a6180d0532cc2addd4874955b3ce0064e9dadc6ca165daaff6f41843
                                                                                          • Opcode Fuzzy Hash: 51ece2cfcdc16cf1ac54b9ecdbfaf3e102e2021a8e01ca2abe73bf622473bba3
                                                                                          • Instruction Fuzzy Hash: 3B0192717105089FDB149B69C859BAEBBF6AF8C710F21406AE506EB3A0CF719D06CB91

                                                                                          Non-executed Functions

                                                                                          Function 07581B10 Relevance: 1.0, Instructions: 1019COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4631743387.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7580000_bWrRSlOThY.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c8bd9b3be228766166e9c89dffbe8120e95cd2888cf57e56ffba698368b6a278
                                                                                          • Instruction ID: 6a5b4f4744288975f4e3af86f8c9e6805a6b11b64d89341a8b2598dcb0a91445
                                                                                          • Opcode Fuzzy Hash: c8bd9b3be228766166e9c89dffbe8120e95cd2888cf57e56ffba698368b6a278
                                                                                          • Instruction Fuzzy Hash: 238259707006068FEB58EF69C884B6EBAE2FF84700F20852DD5169B3A5DE75DC468B91

                                                                                          Execution Graph

                                                                                          Execution Coverage:28.7%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:71
                                                                                          Total number of Limit Nodes:7
                                                                                          execution_graph 3463 c70848 3464 c7084e 3463->3464 3465 c70858 3464->3465 3467 c7261d 3464->3467 3468 c72630 3467->3468 3473 c74fb8 3468->3473 3477 c74fab 3468->3477 3481 c750db 3468->3481 3469 c72669 3469->3465 3475 c74fc9 3473->3475 3474 c750a2 3474->3469 3475->3469 3475->3474 3485 c76786 3475->3485 3478 c74fc9 3477->3478 3478->3469 3479 c750a2 3478->3479 3480 c76786 12 API calls 3478->3480 3479->3469 3480->3478 3482 c750e4 3481->3482 3482->3469 3483 c75107 3482->3483 3484 c76786 12 API calls 3482->3484 3483->3469 3484->3482 3486 c767ad 3485->3486 3488 c7687a 3486->3488 3515 c76b54 3486->3515 3519 c76b60 3486->3519 3487 c76ab8 3487->3475 3488->3487 3523 c76f38 3488->3523 3527 c76f30 3488->3527 3489 c768d8 3489->3487 3531 c76ff0 3489->3531 3535 c76ff8 3489->3535 3490 c7690e 3539 c770b8 3490->3539 3543 c770b0 3490->3543 3491 c7694d 3491->3487 3547 c77160 3491->3547 3551 c77158 3491->3551 3492 c769a1 3493 c76a38 3492->3493 3503 c77160 WriteProcessMemory 3492->3503 3504 c77158 WriteProcessMemory 3492->3504 3501 c77160 WriteProcessMemory 3493->3501 3502 c77158 WriteProcessMemory 3493->3502 3494 c76a61 3494->3487 3507 c76f30 Wow64SetThreadContext 3494->3507 3508 c76f38 Wow64SetThreadContext 3494->3508 3495 c76aa5 3555 c77230 3495->3555 3559 c77238 3495->3559 3496 c76ab6 3496->3475 3501->3494 3502->3494 3503->3492 3504->3492 3507->3495 3508->3495 3516 c76b58 CreateProcessAsUserA 3515->3516 3518 c76e08 3516->3518 3520 c76b62 CreateProcessAsUserA 3519->3520 3522 c76e08 3520->3522 3524 c76f3a Wow64SetThreadContext 3523->3524 3526 c76fbe 3524->3526 3526->3489 3528 c76f34 Wow64SetThreadContext 3527->3528 3530 c76fbe 3528->3530 3530->3489 3532 c76ff4 ReadProcessMemory 3531->3532 3534 c7707d 3532->3534 3534->3490 3536 c76ffa ReadProcessMemory 3535->3536 3538 c7707d 3536->3538 3538->3490 3540 c770ba VirtualAllocEx 3539->3540 3542 c77132 3540->3542 3542->3491 3544 c770b4 VirtualAllocEx 3543->3544 3546 c77132 3544->3546 3546->3491 3548 c77162 WriteProcessMemory 3547->3548 3550 c771fc 3548->3550 3550->3492 3552 c77160 WriteProcessMemory 3551->3552 3554 c771fc 3552->3554 3554->3492 3556 c77238 ResumeThread 3555->3556 3558 c772a6 3556->3558 3558->3496 3560 c7723a ResumeThread 3559->3560 3562 c772a6 3560->3562 3562->3496

                                                                                          Executed Functions

                                                                                          Function 00C76B54 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 270processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 c76b54-c76b56 1 c76b5a 0->1 2 c76b58 0->2 3 c76b5e 1->3 4 c76b5c 1->4 2->1 5 c76b62-c76bf9 3->5 6 c76b5f-c76b61 3->6 4->3 9 c76c4d-c76c6f 5->9 10 c76bfb-c76c20 5->10 6->5 14 c76cc6-c76cf6 9->14 15 c76c71-c76c99 9->15 10->9 13 c76c22-c76c24 10->13 16 c76c47-c76c4a 13->16 17 c76c26-c76c30 13->17 24 c76d4a-c76e06 CreateProcessAsUserA 14->24 25 c76cf8-c76d1d 14->25 15->14 22 c76c9b-c76c9d 15->22 16->9 19 c76c34-c76c43 17->19 20 c76c32 17->20 19->19 23 c76c45 19->23 20->19 26 c76cc0-c76cc3 22->26 27 c76c9f-c76ca9 22->27 23->16 37 c76e0f-c76e83 24->37 38 c76e08-c76e0e 24->38 25->24 33 c76d1f-c76d21 25->33 26->14 28 c76cad-c76cbc 27->28 29 c76cab 27->29 28->28 32 c76cbe 28->32 29->28 32->26 35 c76d44-c76d47 33->35 36 c76d23-c76d2d 33->36 35->24 39 c76d31-c76d40 36->39 40 c76d2f 36->40 49 c76e85-c76e89 37->49 50 c76e93-c76e97 37->50 38->37 39->39 41 c76d42 39->41 40->39 41->35 49->50 51 c76e8b-c76e8e call c75fd0 49->51 52 c76ea7-c76eab 50->52 53 c76e99-c76e9d 50->53 51->50 56 c76ead-c76eb1 52->56 57 c76ebb-c76ebf 52->57 53->52 55 c76e9f-c76ea2 call c75fd0 53->55 55->52 56->57 58 c76eb3-c76eb6 call c75fd0 56->58 59 c76ed1-c76ed8 57->59 60 c76ec1-c76ec7 57->60 58->57 63 c76eef 59->63 64 c76eda-c76ee9 59->64 60->59 66 c76ef0 63->66 64->63 66->66
                                                                                          APIs
                                                                                          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C76DF3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.2769372662.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_c70000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcessUser
                                                                                          • String ID: ZN$ ZN
                                                                                          • API String ID: 2217836671-627483236
                                                                                          • Opcode ID: 38ca47020f207d509ff1e5c8fef7df21195e08d62701b866c7702cc98c7d911c
                                                                                          • Instruction ID: 55c6a01aa1dd76f40f0b7732b1a2ae1913f9a2e1443ccd1b4f6e410c59ecf2b1
                                                                                          • Opcode Fuzzy Hash: 38ca47020f207d509ff1e5c8fef7df21195e08d62701b866c7702cc98c7d911c
                                                                                          • Instruction Fuzzy Hash: CFB14A70E006199FEB11CF69C8417EDBBF2EF49304F10C1A9E828A7291DB749A85CF91
                                                                                          Function 00C76B60 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 262processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 67 c76b60-c76bf9 70 c76c4d-c76c6f 67->70 71 c76bfb-c76c20 67->71 75 c76cc6-c76cf6 70->75 76 c76c71-c76c99 70->76 71->70 74 c76c22-c76c24 71->74 77 c76c47-c76c4a 74->77 78 c76c26-c76c30 74->78 85 c76d4a-c76e06 CreateProcessAsUserA 75->85 86 c76cf8-c76d1d 75->86 76->75 83 c76c9b-c76c9d 76->83 77->70 80 c76c34-c76c43 78->80 81 c76c32 78->81 80->80 84 c76c45 80->84 81->80 87 c76cc0-c76cc3 83->87 88 c76c9f-c76ca9 83->88 84->77 98 c76e0f-c76e83 85->98 99 c76e08-c76e0e 85->99 86->85 94 c76d1f-c76d21 86->94 87->75 89 c76cad-c76cbc 88->89 90 c76cab 88->90 89->89 93 c76cbe 89->93 90->89 93->87 96 c76d44-c76d47 94->96 97 c76d23-c76d2d 94->97 96->85 100 c76d31-c76d40 97->100 101 c76d2f 97->101 110 c76e85-c76e89 98->110 111 c76e93-c76e97 98->111 99->98 100->100 102 c76d42 100->102 101->100 102->96 110->111 112 c76e8b-c76e8e call c75fd0 110->112 113 c76ea7-c76eab 111->113 114 c76e99-c76e9d 111->114 112->111 117 c76ead-c76eb1 113->117 118 c76ebb-c76ebf 113->118 114->113 116 c76e9f-c76ea2 call c75fd0 114->116 116->113 117->118 119 c76eb3-c76eb6 call c75fd0 117->119 120 c76ed1-c76ed8 118->120 121 c76ec1-c76ec7 118->121 119->118 124 c76eef 120->124 125 c76eda-c76ee9 120->125 121->120 127 c76ef0 124->127 125->124 127->127
                                                                                          APIs
                                                                                          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C76DF3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.2769372662.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_c70000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcessUser
                                                                                          • String ID: ZN$ ZN
                                                                                          • API String ID: 2217836671-627483236
                                                                                          • Opcode ID: 97eef9cb976a832392ff2907e3d4861d97abe6352d4e885e3092c28314e767d2
                                                                                          • Instruction ID: 08b220eaeee984c5d369f8faea44deb68f8aa77cc39dff2e14bb8627d950003d
                                                                                          • Opcode Fuzzy Hash: 97eef9cb976a832392ff2907e3d4861d97abe6352d4e885e3092c28314e767d2
                                                                                          • Instruction Fuzzy Hash: B6A12871E006199FEB15CF69C8417EDBBF2FF48304F1081A9E828A7291DB749A85CF91
                                                                                          Function 00C77158 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 128 c77158-c7715e 129 c77162-c771b1 128->129 130 c77160-c77161 128->130 132 c771b3-c771bf 129->132 133 c771c1-c771fa WriteProcessMemory 129->133 130->129 132->133 134 c77203-c77224 133->134 135 c771fc-c77202 133->135 135->134
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00C771ED
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.2769372662.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_c70000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID: ZN
                                                                                          • API String ID: 3559483778-1162681949
                                                                                          • Opcode ID: 216832ff55ce9e40a843a6f78c37d9dfeb38c610153c40c48c899b024de4e95c
                                                                                          • Instruction ID: fb368af4348e39c46bcc8a4c7075aac866027120eec8076046866a6a0665bfe3
                                                                                          • Opcode Fuzzy Hash: 216832ff55ce9e40a843a6f78c37d9dfeb38c610153c40c48c899b024de4e95c
                                                                                          • Instruction Fuzzy Hash: AE21F4B19042499FDF10CFAAD885BDEBBF5BB48310F508529E918A3251D378A944CFA5
                                                                                          Function 00C77160 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 137 c77160-c771b1 140 c771b3-c771bf 137->140 141 c771c1-c771fa WriteProcessMemory 137->141 140->141 142 c77203-c77224 141->142 143 c771fc-c77202 141->143 143->142
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00C771ED
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.2769372662.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_c70000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID: ZN
                                                                                          • API String ID: 3559483778-1162681949
                                                                                          • Opcode ID: 8e600f960efbd9b22909decec8ca2df0c436bb17cb176801797a71051ca8511c
                                                                                          • Instruction ID: 508d0dfbb30654fcfe1e318b50ac392e58592714188b16ca114e0093b4e6d60f
                                                                                          • Opcode Fuzzy Hash: 8e600f960efbd9b22909decec8ca2df0c436bb17cb176801797a71051ca8511c
                                                                                          • Instruction Fuzzy Hash: E42114B1900349DFDF10CF9AC885BDEBBF4FB48310F10852AE918A3250D378AA40CBA5
                                                                                          Function 00C76F30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 145 c76f30-c76f32 146 c76f36 145->146 147 c76f34 145->147 148 c76f3a-c76f84 146->148 149 c76f38-c76f39 146->149 147->146 151 c76f86-c76f8e 148->151 152 c76f90-c76fbc Wow64SetThreadContext 148->152 149->148 151->152 153 c76fc5-c76fe6 152->153 154 c76fbe-c76fc4 152->154 154->153
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00C76FAF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.2769372662.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_c70000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID: ZN
                                                                                          • API String ID: 983334009-1162681949
                                                                                          • Opcode ID: e5d5c6013816aec77c25c2007751e4f64645ff641238cd40e8046359392d0ae1
                                                                                          • Instruction ID: 2130f2edb7299b112687c00bc42f4c78430c09150c62fcd6d279824dda9f7b52
                                                                                          • Opcode Fuzzy Hash: e5d5c6013816aec77c25c2007751e4f64645ff641238cd40e8046359392d0ae1
                                                                                          • Instruction Fuzzy Hash: C72124B1D0061A9FDB00CFAAD8857EEFBF4BB48714F10812AE518A3740D778A9548FA5
                                                                                          Function 00C76FF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 156 c76ff0-c76ff2 157 c76ff6 156->157 158 c76ff4 156->158 159 c76ff7-c76ff9 157->159 160 c76ffa-c7707b ReadProcessMemory 157->160 158->157 159->160 163 c77084-c770a5 160->163 164 c7707d-c77083 160->164 164->163
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C7706E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.2769372662.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_c70000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID: ZN
                                                                                          • API String ID: 1726664587-1162681949
                                                                                          • Opcode ID: 39c087255ad512fe4fbb1720180f3e7fe3f0819f4610f097914df31fdc3a51e5
                                                                                          • Instruction ID: b354f6928e466ef3fff54784d90c6666d8d1302a95c555d8a4aa8cfdd7b28a62
                                                                                          • Opcode Fuzzy Hash: 39c087255ad512fe4fbb1720180f3e7fe3f0819f4610f097914df31fdc3a51e5
                                                                                          • Instruction Fuzzy Hash: 302137B18006499FCB10CFAAC844BEEBBF4FB48310F108029E518A3211D779A940CFA1
                                                                                          Function 00C76F38 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 166 c76f38-c76f84 169 c76f86-c76f8e 166->169 170 c76f90-c76fbc Wow64SetThreadContext 166->170 169->170 171 c76fc5-c76fe6 170->171 172 c76fbe-c76fc4 170->172 172->171
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00C76FAF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.2769372662.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_c70000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID: ZN
                                                                                          • API String ID: 983334009-1162681949
                                                                                          • Opcode ID: 6f3450cba684e513390700b45c4b01900288a2ba4183bd5090d1430e149d366d
                                                                                          • Instruction ID: 2b9f3e246af9c2a5ac535b49dec13c2426ddbc6705a2a37ca2642d90e5ea8fbd
                                                                                          • Opcode Fuzzy Hash: 6f3450cba684e513390700b45c4b01900288a2ba4183bd5090d1430e149d366d
                                                                                          • Instruction Fuzzy Hash: 572117B1D0061A9FDB00CFAAD8457EEFBF4BB48714F10812AE518A3340D778A954CFA5
                                                                                          Function 00C76FF8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 174 c76ff8-c7707b ReadProcessMemory 177 c77084-c770a5 174->177 178 c7707d-c77083 174->178 178->177
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C7706E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.2769372662.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_c70000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID: ZN
                                                                                          • API String ID: 1726664587-1162681949
                                                                                          • Opcode ID: 384485352cfd9398328ff3bdfcda53b1120b88d2c0fec8463dcea0c95acb4c18
                                                                                          • Instruction ID: ecc433469d602c6d6f1970f55731bd4b8e6147eb8ab896c4e368224f62e180e6
                                                                                          • Opcode Fuzzy Hash: 384485352cfd9398328ff3bdfcda53b1120b88d2c0fec8463dcea0c95acb4c18
                                                                                          • Instruction Fuzzy Hash: 1C21D3B5900249DFDB10CF9AC884BDEFBF4FB48320F108529E958A7250D779AA54CFA5
                                                                                          Function 00C770B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 180 c770b0-c770b2 181 c770b6 180->181 182 c770b4 180->182 183 c770b7-c770b9 181->183 184 c770ba-c77130 VirtualAllocEx 181->184 182->181 183->184 187 c77132-c77138 184->187 188 c77139-c7714d 184->188 187->188
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C77123
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.2769372662.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_c70000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID: ZN
                                                                                          • API String ID: 4275171209-1162681949
                                                                                          • Opcode ID: cba1c85fa849140308b5cabdcf84df93050275f593f98f004fc08ae300bbd624
                                                                                          • Instruction ID: 816e6529a23f5d34c1daf96b9e8ae5aac1c94491fa74264ff17e324ada492928
                                                                                          • Opcode Fuzzy Hash: cba1c85fa849140308b5cabdcf84df93050275f593f98f004fc08ae300bbd624
                                                                                          • Instruction Fuzzy Hash: A21123B58042499FCF10CF9AD884BEEBBF4EF48320F208519E618A7221D775A940CFA5
                                                                                          Function 00C770B8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 190 c770b8-c77130 VirtualAllocEx 193 c77132-c77138 190->193 194 c77139-c7714d 190->194 193->194
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C77123
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.2769372662.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_c70000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID: ZN
                                                                                          • API String ID: 4275171209-1162681949
                                                                                          • Opcode ID: e8782c64069a2e1aa94bb6acc0d92dc5ba75a9406a7bae798f813807af388fc8
                                                                                          • Instruction ID: d89e2e23eb3429e606995c45f27ef9d8a672d027ce6e60c1587b57c56b31bfd7
                                                                                          • Opcode Fuzzy Hash: e8782c64069a2e1aa94bb6acc0d92dc5ba75a9406a7bae798f813807af388fc8
                                                                                          • Instruction Fuzzy Hash: C811E0B5900249DFDB10CF9AD884BDEBBF4EB88324F208419E628A7250C775A954CFA5
                                                                                          Function 00C77230 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 196 c77230-c77236 197 c7723a-c772a4 ResumeThread 196->197 198 c77238-c77239 196->198 200 c772a6-c772ac 197->200 201 c772ad-c772c1 197->201 198->197 200->201
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.2769372662.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_c70000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID: ZN
                                                                                          • API String ID: 947044025-1162681949
                                                                                          • Opcode ID: b10849a33207a2ba198aafa76415cd9d3b079465a0808360691cafc6c3fe7895
                                                                                          • Instruction ID: b6c76c6c7bc4e68f68ce36e25864cf89858d27881cf1c998599cd759c87348ba
                                                                                          • Opcode Fuzzy Hash: b10849a33207a2ba198aafa76415cd9d3b079465a0808360691cafc6c3fe7895
                                                                                          • Instruction Fuzzy Hash: 251148B1804349CFDF10CF9AD444BDEFBF4AB48314F208419E528A3251C374A944CFA5
                                                                                          Function 00C77238 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 203 c77238-c772a4 ResumeThread 206 c772a6-c772ac 203->206 207 c772ad-c772c1 203->207 206->207
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.2769372662.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_18_2_c70000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID: ZN
                                                                                          • API String ID: 947044025-1162681949
                                                                                          • Opcode ID: dd4f5899561e24647c76a2d2934b2ea5a9f4875b7222115a0f07f52629f66095
                                                                                          • Instruction ID: 50f692916771dca69607a9ff0a2f2dd862f3f3201b1dc6e7261d407b87320cda
                                                                                          • Opcode Fuzzy Hash: dd4f5899561e24647c76a2d2934b2ea5a9f4875b7222115a0f07f52629f66095
                                                                                          • Instruction Fuzzy Hash: 251123B1800349CFDB10CF9AD844BDEFBF8EB88324F20841AD528A7250C774A944CFA5

                                                                                          Executed Functions

                                                                                          Function 00B50F80 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000013.00000002.2814114225.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_19_2_b50000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: d t
                                                                                          • API String ID: 0-2792223501
                                                                                          • Opcode ID: 8c6433d79cfb756505cc197245de385f26d86756e1c76023829e9d069d65a5c6
                                                                                          • Instruction ID: 24d673c5fafa4a9fb330babda078d0bd986dad1a1a2200d57b2dee03f0185077
                                                                                          • Opcode Fuzzy Hash: 8c6433d79cfb756505cc197245de385f26d86756e1c76023829e9d069d65a5c6
                                                                                          • Instruction Fuzzy Hash: 32518C30B005149FDB54DF6DC458B9EBBF2EF89700F2581AAE806DB3A2CA75DC058B81
                                                                                          Function 00B50DE8 Relevance: .1, Instructions: 129COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000013.00000002.2814114225.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_19_2_b50000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7baa5f3bd59f28ae076b3fb975473ff03c117707a20f40e821bc23e7b122eac6
                                                                                          • Instruction ID: 395418b4f20ba8cef828ab2240ea8a3e3038b8298428e8ad6cfe9b90b909b829
                                                                                          • Opcode Fuzzy Hash: 7baa5f3bd59f28ae076b3fb975473ff03c117707a20f40e821bc23e7b122eac6
                                                                                          • Instruction Fuzzy Hash: D3419031B042448FDB15EF79D454B9EBBF2EF89300F1445A9E406EB3A2CA759C09CB51
                                                                                          Function 00B50B49 Relevance: .1, Instructions: 127COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000013.00000002.2814114225.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_19_2_b50000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6a29a7e1f45a6aa75376923a8ff6e05385a679eb85d3b91e006a218db952b114
                                                                                          • Instruction ID: 79a1f947f254ac83323b3669483d719f5d9963bf7ef608ecdc60592441756fb2
                                                                                          • Opcode Fuzzy Hash: 6a29a7e1f45a6aa75376923a8ff6e05385a679eb85d3b91e006a218db952b114
                                                                                          • Instruction Fuzzy Hash: 3E51A338601A42DFD716EF74E8849697B72FB8430571086E8D5218F36AEBB1ED46CF81
                                                                                          Function 00B509A8 Relevance: .1, Instructions: 113COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000013.00000002.2814114225.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_19_2_b50000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0797804573097f6129e7ed05d8e65e1c1f9f83e8fc39bbd273796d12499f5769
                                                                                          • Instruction ID: 9e215c9603c996b45e15a9756790b8d52e5de51f284011c1c310025c412085b9
                                                                                          • Opcode Fuzzy Hash: 0797804573097f6129e7ed05d8e65e1c1f9f83e8fc39bbd273796d12499f5769
                                                                                          • Instruction Fuzzy Hash: FE41C1307217428FDB25BB79985433A7AE1FB4430671049FDDC46CB2A1EF20CC0A8B51
                                                                                          Function 00B51298 Relevance: .1, Instructions: 113COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000013.00000002.2814114225.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_19_2_b50000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b5b3e2c619f152f99247db0f554d9f72fea1d7b5ba70705137761b3738ebf665
                                                                                          • Instruction ID: 1bfed1d55b63b8a0b6c5d3fe14b2fa66b38489e28bd250d2095fbc1f642f66ec
                                                                                          • Opcode Fuzzy Hash: b5b3e2c619f152f99247db0f554d9f72fea1d7b5ba70705137761b3738ebf665
                                                                                          • Instruction Fuzzy Hash: 1B41A074E00249AFCB44DBBDC5547AEFBFAEF89300F2485A9D44AD7346DA349D428B90
                                                                                          Function 00B509B8 Relevance: .1, Instructions: 112COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000013.00000002.2814114225.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_19_2_b50000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4f7b448b8bb144fe076d9a1351d0ec62b547a0a36076569cea30da05c70b51ff
                                                                                          • Instruction ID: ca57c6f6d923ccf9c3e453ed8614571b71c2b0661e27b4c1176706637e652161
                                                                                          • Opcode Fuzzy Hash: 4f7b448b8bb144fe076d9a1351d0ec62b547a0a36076569cea30da05c70b51ff
                                                                                          • Instruction Fuzzy Hash: BF319E30B217428FDB65BBB9985433E7AE6EB8070671049FD9847C7291EF20CC4A9B51
                                                                                          Function 00B51403 Relevance: .1, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000013.00000002.2814114225.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_19_2_b50000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9771b022e6b5e909caa1fce1e0096a1a1e189d4cd5c8716e25d532ddba982675
                                                                                          • Instruction ID: e7ba171c3a8d570c312cb47abd3c3bfd60d9106dfcb93c30502dca911397c150
                                                                                          • Opcode Fuzzy Hash: 9771b022e6b5e909caa1fce1e0096a1a1e189d4cd5c8716e25d532ddba982675
                                                                                          • Instruction Fuzzy Hash: DA319170B012568FDB54EB788491A7EBBF2AFC9300B1444ADE546DB3A5DE349C06CB90
                                                                                          Function 00B50DE0 Relevance: .1, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000013.00000002.2814114225.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_19_2_b50000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7d9668f27da30e1eb563025c88f6aba8b08ad251e24d14e403a3c823696c7d25
                                                                                          • Instruction ID: 65e2f7431877e9cf5517ddd43589df6bf17194ea16cf0396358760afda39efcd
                                                                                          • Opcode Fuzzy Hash: 7d9668f27da30e1eb563025c88f6aba8b08ad251e24d14e403a3c823696c7d25
                                                                                          • Instruction Fuzzy Hash: 98316D75A002458FDB15DF68C458BAEBBF2FF89301F2485A9E402AB3A1CB709D49CB50
                                                                                          Function 00AAD3B4 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000013.00000002.2813970102.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_19_2_aad000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2945eda74f3461cc38f8d50e07f700a396f519fc7bbd1a431c1a396212099b4c
                                                                                          • Instruction ID: 4daaa8f6d79928599727fb947923155a7e0b66ab1e9c5f07c6346a6f23f52358
                                                                                          • Opcode Fuzzy Hash: 2945eda74f3461cc38f8d50e07f700a396f519fc7bbd1a431c1a396212099b4c
                                                                                          • Instruction Fuzzy Hash: BE2125B1504200EFDB05DF14D9C0B26BF65FB98314F20C56DE94A0B696C336E856DBA2
                                                                                          Function 00AAD3AF Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000013.00000002.2813970102.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_19_2_aad000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                          • Instruction ID: 050844c9723c9d100ea0e766919022f6f566536773118d8dc9684e10f590590f
                                                                                          • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                          • Instruction Fuzzy Hash: F511E676504280CFCB15CF10D5C4B16BF71FB98314F24C5A9DC4A0B656C33AE856CBA1
                                                                                          Function 00B514F9 Relevance: .1, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000013.00000002.2814114225.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_19_2_b50000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a5712a672f5dbe9b0e6960cac6b7766646199f50527f545b7265b0c412a5d9ff
                                                                                          • Instruction ID: c9a1d5eb891c81a403689266f763c85a48cc5d227a73958c1ec058384145f681
                                                                                          • Opcode Fuzzy Hash: a5712a672f5dbe9b0e6960cac6b7766646199f50527f545b7265b0c412a5d9ff
                                                                                          • Instruction Fuzzy Hash: 4911A074A012419FCB14EBB8D844AAA7BF6EF8930171008FDE806DB365EA35CC42CB90
                                                                                          Function 00B51508 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000013.00000002.2814114225.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_19_2_b50000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bdf68457d32442a4b8bd23d115a7a4bc293d1a2c0fe4922cf35159a579feafda
                                                                                          • Instruction ID: 701408ee0a2c5ad3c2258e7c39f0f949535f3e740ba1e477ac9ef162d8b0cc2a
                                                                                          • Opcode Fuzzy Hash: bdf68457d32442a4b8bd23d115a7a4bc293d1a2c0fe4922cf35159a579feafda
                                                                                          • Instruction Fuzzy Hash: C0115B74B012059FCB54EBB9E845A6A7BE6EF8830171048B9D807DB354EA35DC41CB90
                                                                                          Function 00B50F07 Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000013.00000002.2814114225.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_19_2_b50000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5faab0ebf06cd0261f13f6b6c9c04cfe6733c5c78be2a50a56e2726204b41ab1
                                                                                          • Instruction ID: 374a61c5fbae19814a3e7456bc40d2a60cadbcc64dcb8f62c680a228febbc5c4
                                                                                          • Opcode Fuzzy Hash: 5faab0ebf06cd0261f13f6b6c9c04cfe6733c5c78be2a50a56e2726204b41ab1
                                                                                          • Instruction Fuzzy Hash: BDF0C8207092800FD78AA73D586459E7FE79FCE15035945EAE146CB3A7CD698C068365
                                                                                          Function 00B50F48 Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000013.00000002.2814114225.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_19_2_b50000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2db5f2a103df36a1df807ea1d1a4341b386dcc4f8750d00fef1227d2ce17021e
                                                                                          • Instruction ID: a3cb094f34a094200ecf144548babcffaf0d51ca221643cddb855bf6c1ccd3ff
                                                                                          • Opcode Fuzzy Hash: 2db5f2a103df36a1df807ea1d1a4341b386dcc4f8750d00fef1227d2ce17021e
                                                                                          • Instruction Fuzzy Hash: 3FE0C2313012004F83849B7EA88889BB7DAEFCC5303140879F109C7322CE61CC014390

                                                                                          Execution Graph

                                                                                          Execution Coverage:27.1%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:74
                                                                                          Total number of Limit Nodes:7
                                                                                          execution_graph 3194 1160848 3195 116084e 3194->3195 3196 1160858 3195->3196 3198 116261d 3195->3198 3199 1162630 3198->3199 3204 11650e7 3199->3204 3208 11650e8 3199->3208 3212 11650ce 3199->3212 3200 1162669 3200->3196 3205 11650f4 3204->3205 3205->3200 3206 1165107 3205->3206 3216 1166786 3205->3216 3206->3200 3209 11650f4 3208->3209 3209->3200 3210 1165107 3209->3210 3211 1166786 12 API calls 3209->3211 3210->3200 3211->3209 3213 11650d1 3212->3213 3213->3200 3214 1165107 3213->3214 3215 1166786 12 API calls 3213->3215 3214->3200 3215->3213 3217 11667ad 3216->3217 3218 116687a 3217->3218 3249 1166b54 3217->3249 3253 1166b60 3217->3253 3220 1166ab8 3218->3220 3257 1166f30 3218->3257 3261 1166f38 3218->3261 3219 11668d8 3219->3220 3265 1166ff0 3219->3265 3269 1166ff8 3219->3269 3220->3205 3221 116690e 3272 11670b0 3221->3272 3276 11670b8 3221->3276 3222 116694d 3223 116697a 3222->3223 3247 11670b0 VirtualAllocEx 3222->3247 3248 11670b8 VirtualAllocEx 3222->3248 3223->3220 3279 1167160 3223->3279 3283 1167158 3223->3283 3224 11669a1 3225 1166a38 3224->3225 3245 1167160 WriteProcessMemory 3224->3245 3246 1167158 WriteProcessMemory 3224->3246 3243 1167160 WriteProcessMemory 3225->3243 3244 1167158 WriteProcessMemory 3225->3244 3226 1166a61 3226->3220 3231 1166f30 Wow64SetThreadContext 3226->3231 3232 1166f38 Wow64SetThreadContext 3226->3232 3227 1166aa5 3287 1167230 3227->3287 3290 1167238 3227->3290 3228 1166ab6 3228->3205 3231->3227 3232->3227 3243->3226 3244->3226 3245->3224 3246->3224 3247->3223 3248->3223 3251 1166bed CreateProcessAsUserA 3249->3251 3252 1166e08 3251->3252 3255 1166bed CreateProcessAsUserA 3253->3255 3256 1166e08 3255->3256 3258 1166f38 Wow64SetThreadContext 3257->3258 3260 1166fbe 3258->3260 3260->3219 3262 1166f80 Wow64SetThreadContext 3261->3262 3264 1166fbe 3262->3264 3264->3219 3266 1166ff8 ReadProcessMemory 3265->3266 3268 116707d 3266->3268 3268->3221 3270 1167040 ReadProcessMemory 3269->3270 3271 116707d 3270->3271 3271->3221 3273 11670b8 VirtualAllocEx 3272->3273 3275 1167132 3273->3275 3275->3222 3277 11670fb VirtualAllocEx 3276->3277 3278 1167132 3277->3278 3278->3222 3280 11671ab WriteProcessMemory 3279->3280 3282 11671fc 3280->3282 3282->3224 3284 11671ab WriteProcessMemory 3283->3284 3286 11671fc 3284->3286 3286->3224 3288 1167279 ResumeThread 3287->3288 3289 11672a6 3288->3289 3289->3228 3291 1167279 ResumeThread 3290->3291 3292 11672a6 3291->3292 3292->3228

                                                                                          Executed Functions

                                                                                          Function 01166B54 Relevance: 1.8, APIs: 1, Instructions: 263processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 1166b54-1166bf9 2 1166c4d-1166c6f 0->2 3 1166bfb-1166c20 0->3 7 1166cc6-1166cf6 2->7 8 1166c71-1166c99 2->8 3->2 6 1166c22-1166c24 3->6 9 1166c26-1166c30 6->9 10 1166c47-1166c4a 6->10 17 1166d4a-1166e06 CreateProcessAsUserA 7->17 18 1166cf8-1166d1d 7->18 8->7 15 1166c9b-1166c9d 8->15 12 1166c34-1166c43 9->12 13 1166c32 9->13 10->2 12->12 16 1166c45 12->16 13->12 19 1166cc0-1166cc3 15->19 20 1166c9f-1166ca9 15->20 16->10 30 1166e0f-1166e83 17->30 31 1166e08-1166e0e 17->31 18->17 26 1166d1f-1166d21 18->26 19->7 21 1166cad-1166cbc 20->21 22 1166cab 20->22 21->21 25 1166cbe 21->25 22->21 25->19 28 1166d44-1166d47 26->28 29 1166d23-1166d2d 26->29 28->17 32 1166d31-1166d40 29->32 33 1166d2f 29->33 42 1166e85-1166e89 30->42 43 1166e93-1166e97 30->43 31->30 32->32 34 1166d42 32->34 33->32 34->28 42->43 44 1166e8b-1166e8e call 1165fc4 42->44 45 1166ea7-1166eab 43->45 46 1166e99-1166e9d 43->46 44->43 49 1166ead-1166eb1 45->49 50 1166ebb-1166ebf 45->50 46->45 48 1166e9f-1166ea2 call 1165fc4 46->48 48->45 49->50 51 1166eb3-1166eb6 call 1165fc4 49->51 52 1166ed1-1166ed8 50->52 53 1166ec1-1166ec7 50->53 51->50 56 1166eef 52->56 57 1166eda-1166ee9 52->57 53->52 59 1166ef0 56->59 57->56 59->59
                                                                                          APIs
                                                                                          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 01166DF3
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001D.00000002.3361179787.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_29_2_1160000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcessUser
                                                                                          • String ID:
                                                                                          • API String ID: 2217836671-0
                                                                                          • Opcode ID: c322050e5da5028ba7614aa7a3deb76daad08ff51fe7b5043924ec494eb7cfff
                                                                                          • Instruction ID: 234efef718ddc5c88a99d1aab31b049bbf2f72327454d54cce236cf5c31f02ef
                                                                                          • Opcode Fuzzy Hash: c322050e5da5028ba7614aa7a3deb76daad08ff51fe7b5043924ec494eb7cfff
                                                                                          • Instruction Fuzzy Hash: 31A19970E006198FEB18CFA8C9407EDBBF6FF48304F0481A9E918A7294DB759995CF81
                                                                                          Function 01166B60 Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 60 1166b60-1166bf9 62 1166c4d-1166c6f 60->62 63 1166bfb-1166c20 60->63 67 1166cc6-1166cf6 62->67 68 1166c71-1166c99 62->68 63->62 66 1166c22-1166c24 63->66 69 1166c26-1166c30 66->69 70 1166c47-1166c4a 66->70 77 1166d4a-1166e06 CreateProcessAsUserA 67->77 78 1166cf8-1166d1d 67->78 68->67 75 1166c9b-1166c9d 68->75 72 1166c34-1166c43 69->72 73 1166c32 69->73 70->62 72->72 76 1166c45 72->76 73->72 79 1166cc0-1166cc3 75->79 80 1166c9f-1166ca9 75->80 76->70 90 1166e0f-1166e83 77->90 91 1166e08-1166e0e 77->91 78->77 86 1166d1f-1166d21 78->86 79->67 81 1166cad-1166cbc 80->81 82 1166cab 80->82 81->81 85 1166cbe 81->85 82->81 85->79 88 1166d44-1166d47 86->88 89 1166d23-1166d2d 86->89 88->77 92 1166d31-1166d40 89->92 93 1166d2f 89->93 102 1166e85-1166e89 90->102 103 1166e93-1166e97 90->103 91->90 92->92 94 1166d42 92->94 93->92 94->88 102->103 104 1166e8b-1166e8e call 1165fc4 102->104 105 1166ea7-1166eab 103->105 106 1166e99-1166e9d 103->106 104->103 109 1166ead-1166eb1 105->109 110 1166ebb-1166ebf 105->110 106->105 108 1166e9f-1166ea2 call 1165fc4 106->108 108->105 109->110 111 1166eb3-1166eb6 call 1165fc4 109->111 112 1166ed1-1166ed8 110->112 113 1166ec1-1166ec7 110->113 111->110 116 1166eef 112->116 117 1166eda-1166ee9 112->117 113->112 119 1166ef0 116->119 117->116 119->119
                                                                                          APIs
                                                                                          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 01166DF3
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001D.00000002.3361179787.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_29_2_1160000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcessUser
                                                                                          • String ID:
                                                                                          • API String ID: 2217836671-0
                                                                                          • Opcode ID: aeb029023ce93475df7f4ea7d0bff226be3679d782c2a1e574ed2712a24148db
                                                                                          • Instruction ID: b665524390d96d54ac7eddd68390872592908e5d07f65961cf8c9e7793ee897d
                                                                                          • Opcode Fuzzy Hash: aeb029023ce93475df7f4ea7d0bff226be3679d782c2a1e574ed2712a24148db
                                                                                          • Instruction Fuzzy Hash: 3EA18971E006198FEB18CFA9C8407EDBBF6FF48304F0081A9E918A7294DB759995CF91
                                                                                          Function 01167160 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 239 1167160-11671b1 241 11671b3-11671bf 239->241 242 11671c1-11671fa WriteProcessMemory 239->242 241->242 243 1167203-1167224 242->243 244 11671fc-1167202 242->244 244->243
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 011671ED
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001D.00000002.3361179787.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_29_2_1160000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: 3a664d975ef0f21d7a0837abc2d483bd5b24e21ac4be442a0c169df1ec5b6ffe
                                                                                          • Instruction ID: 3bbdab878a4c3876d686c981d041bb6e4595da8bf1f230344d074a4b6150610e
                                                                                          • Opcode Fuzzy Hash: 3a664d975ef0f21d7a0837abc2d483bd5b24e21ac4be442a0c169df1ec5b6ffe
                                                                                          • Instruction Fuzzy Hash: 7121E4B1900349DFDB14CF9AD885BDEBBF9FB48314F10842AE918A7251D378A954CFA4
                                                                                          Function 01167158 Relevance: 1.6, APIs: 1, Instructions: 64injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 246 1167158-11671b1 248 11671b3-11671bf 246->248 249 11671c1-11671fa WriteProcessMemory 246->249 248->249 250 1167203-1167224 249->250 251 11671fc-1167202 249->251 251->250
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 011671ED
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001D.00000002.3361179787.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_29_2_1160000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: 184b2cf27230023db3dedf49b76e5e8513fc7649d58b03fde1dbb6f19dd1c358
                                                                                          • Instruction ID: 4aa031b67af3de3a097fbbd2d5457787323b26bcb4a8c3a02110b25a9282e56d
                                                                                          • Opcode Fuzzy Hash: 184b2cf27230023db3dedf49b76e5e8513fc7649d58b03fde1dbb6f19dd1c358
                                                                                          • Instruction Fuzzy Hash: 462103B5900249DFDB04CFA9C985BDEBBF5BF48314F10842AE958A3251D378A554CF64
                                                                                          Function 01166F30 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 253 1166f30-1166f84 256 1166f86-1166f8e 253->256 257 1166f90-1166fbc Wow64SetThreadContext 253->257 256->257 258 1166fc5-1166fe6 257->258 259 1166fbe-1166fc4 257->259 259->258
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 01166FAF
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001D.00000002.3361179787.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_29_2_1160000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: 713436c319a4cbb37b9d0b3858d696cde4eab15003bb6d99ea5ee7c1dd7736e7
                                                                                          • Instruction ID: 080be4f7a9fe3218118494b30ca221ef399a93445a318279a0d5b9c1b7f57a32
                                                                                          • Opcode Fuzzy Hash: 713436c319a4cbb37b9d0b3858d696cde4eab15003bb6d99ea5ee7c1dd7736e7
                                                                                          • Instruction Fuzzy Hash: 6F2127B19106599FDB04CF9AC8857EEFBF8BB48710F10816AE518A3340D778A954CFA5
                                                                                          Function 01166FF0 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 261 1166ff0-116707b ReadProcessMemory 264 1167084-11670a5 261->264 265 116707d-1167083 261->265 265->264
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0116706E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001D.00000002.3361179787.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_29_2_1160000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: c17f17db53f7e3d3db92a3818ca6601b9acaf04ffd5e0173a2c97ec0e46084af
                                                                                          • Instruction ID: 91057c24ff65c35ca09c6d5449d4df47532c788200dad0ed6548b7cb874a21d0
                                                                                          • Opcode Fuzzy Hash: c17f17db53f7e3d3db92a3818ca6601b9acaf04ffd5e0173a2c97ec0e46084af
                                                                                          • Instruction Fuzzy Hash: FC210876900249DFDB10CF9AC884BDEFBF4FB48314F108429E518A7251D379A554CFA5
                                                                                          Function 01166F38 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 267 1166f38-1166f84 269 1166f86-1166f8e 267->269 270 1166f90-1166fbc Wow64SetThreadContext 267->270 269->270 271 1166fc5-1166fe6 270->271 272 1166fbe-1166fc4 270->272 272->271
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 01166FAF
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001D.00000002.3361179787.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_29_2_1160000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: 3e170dce0f571d6cd22f623941db942a6fb07e6033748b3f1d2bad8cd909f83f
                                                                                          • Instruction ID: dcdffd6a2fff8a4adfe7489047099ecc00b53e89450e0e2f9896c38e926c3bf5
                                                                                          • Opcode Fuzzy Hash: 3e170dce0f571d6cd22f623941db942a6fb07e6033748b3f1d2bad8cd909f83f
                                                                                          • Instruction Fuzzy Hash: D32136B1D0025A9FDB04CF9AC8457EEFBF8BB48610F10816AE518B3340D778A954CFA5
                                                                                          Function 01166FF8 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 274 1166ff8-116707b ReadProcessMemory 276 1167084-11670a5 274->276 277 116707d-1167083 274->277 277->276
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0116706E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001D.00000002.3361179787.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_29_2_1160000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: b61b247e328f4e6978fa15d375b5a9364ef15a3d22c77f00964d0b1d98b8c361
                                                                                          • Instruction ID: 3be92a90b7c587aae146d970d1a2dc94483395b298fb6d4320e38f5661259cd6
                                                                                          • Opcode Fuzzy Hash: b61b247e328f4e6978fa15d375b5a9364ef15a3d22c77f00964d0b1d98b8c361
                                                                                          • Instruction Fuzzy Hash: 13210675900249DFDB10CF9AC844BDEFBF8FB48324F108029E918A7250D379A554CFA5
                                                                                          Function 011670B0 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 279 11670b0-1167130 VirtualAllocEx 282 1167132-1167138 279->282 283 1167139-116714d 279->283 282->283
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01167123
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001D.00000002.3361179787.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_29_2_1160000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 9bc5a48b7880675543a61feed045657518881ac6e98cb408ccf1c4e9f8309c10
                                                                                          • Instruction ID: a2c0b31b1ccf0590e1d4c817205431140bb9efd4ee2be7a8f54b0bca1cc7705f
                                                                                          • Opcode Fuzzy Hash: 9bc5a48b7880675543a61feed045657518881ac6e98cb408ccf1c4e9f8309c10
                                                                                          • Instruction Fuzzy Hash: E01113B6800249DFDB10CF9AD885BDEBFF8FB48324F20841AE618A7250C775A550CFA5
                                                                                          Function 011670B8 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 285 11670b8-1167130 VirtualAllocEx 287 1167132-1167138 285->287 288 1167139-116714d 285->288 287->288
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01167123
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001D.00000002.3361179787.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_29_2_1160000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 083becffbd820c9694126f2a74d7f4e958b1ea51171c12e5fe3cc14ab364dc68
                                                                                          • Instruction ID: 2bed1180b8e35e92671f54511c8d7464bc2705fd20d4268babae77166ea9a15b
                                                                                          • Opcode Fuzzy Hash: 083becffbd820c9694126f2a74d7f4e958b1ea51171c12e5fe3cc14ab364dc68
                                                                                          • Instruction Fuzzy Hash: EB11E3B5800249DFDB10CF9AD884BDEBFF8EB48724F20841AE518A7250C775A554CFA5
                                                                                          Function 01167238 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 290 1167238-11672a4 ResumeThread 292 11672a6-11672ac 290->292 293 11672ad-11672c1 290->293 292->293
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001D.00000002.3361179787.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_29_2_1160000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: ead1948ab9c947c4070b7a9fe5461de301f289553e2698aec8b4c5c138c06b93
                                                                                          • Instruction ID: e0b972e9959ae23eaeb73b9a041daa4243bfea8d35c7f6ee7910603b1c213541
                                                                                          • Opcode Fuzzy Hash: ead1948ab9c947c4070b7a9fe5461de301f289553e2698aec8b4c5c138c06b93
                                                                                          • Instruction Fuzzy Hash: 0D1112B1800249CFDB10DF9AD445BDEFBF8EB88724F20841AD518A7250C775A944CFA5
                                                                                          Function 01167230 Relevance: 1.5, APIs: 1, Instructions: 42threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 295 1167230-11672a4 ResumeThread 297 11672a6-11672ac 295->297 298 11672ad-11672c1 295->298 297->298
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001D.00000002.3361179787.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_29_2_1160000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: f3936c9549185e3e36eda115056759517ae5462f984aac42932941e48ecc9464
                                                                                          • Instruction ID: dae9d41481b1fec09120272aece1d968eda9f33450a755ad73305950d455c9d6
                                                                                          • Opcode Fuzzy Hash: f3936c9549185e3e36eda115056759517ae5462f984aac42932941e48ecc9464
                                                                                          • Instruction Fuzzy Hash: D71112B5800289CFDB10CF9AD585BDEBFF4AB48324F24845AD558B7250C379A544CFA9

                                                                                          Executed Functions

                                                                                          Function 02540F80 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.3398481475.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_2540000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: d t
                                                                                          • API String ID: 0-2792223501
                                                                                          • Opcode ID: e6ff6dc608a02eec9a07128bf93834c609f2d0322eb69b20c384040d4d7bdddc
                                                                                          • Instruction ID: e4513b3a723a6e7dce3d455d476864b1ca5744e910765f6bce1865ae215cb4fb
                                                                                          • Opcode Fuzzy Hash: e6ff6dc608a02eec9a07128bf93834c609f2d0322eb69b20c384040d4d7bdddc
                                                                                          • Instruction Fuzzy Hash: BD519F30B145149FCB18DF69C458A9DBBF2BF89700F25C1AAE406DB7A1CA75EC028B95
                                                                                          Function 02540DE8 Relevance: .1, Instructions: 129COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.3398481475.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_2540000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: aed0ba192a1f23b36871c863df77feeb7b2fb1e80254c871c5f60a5109899483
                                                                                          • Instruction ID: fa97dff747e002efe474931bac3d4d24444007724fded8ab61546cc2bc537ccb
                                                                                          • Opcode Fuzzy Hash: aed0ba192a1f23b36871c863df77feeb7b2fb1e80254c871c5f60a5109899483
                                                                                          • Instruction Fuzzy Hash: 7641C130B042449FDB18DF68D458B9EBBF2BF89304F2485AAE106DB3A1CB749C05CB94
                                                                                          Function 02540B49 Relevance: .1, Instructions: 127COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.3398481475.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_2540000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cd6737bf99571041c700772cae302510c2949a51bfdbbf5bf8d6a53d89bbd40d
                                                                                          • Instruction ID: a1c59d152dc5c173fd63473a5af742a24ec41ae31e7c84ac234650b04b2edd91
                                                                                          • Opcode Fuzzy Hash: cd6737bf99571041c700772cae302510c2949a51bfdbbf5bf8d6a53d89bbd40d
                                                                                          • Instruction Fuzzy Hash: 7A51D87C202242EFC706FB34F854A597762FB88B05720A768D5019B76DDB31A987CF92
                                                                                          Function 02541298 Relevance: .1, Instructions: 113COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.3398481475.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_2540000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6a120917de8dd26147f1f40fa5ce0197cc9aeb4e17340d72cbb924974a35492d
                                                                                          • Instruction ID: 4c79460fcee634130ea2a6136c0baee2895597506357e49177f251713af27c62
                                                                                          • Opcode Fuzzy Hash: 6a120917de8dd26147f1f40fa5ce0197cc9aeb4e17340d72cbb924974a35492d
                                                                                          • Instruction Fuzzy Hash: 5241A274E04249AFDB04DBB9C4446AEFBFAEF88300F20C569D44AD7345DA34D9428B95
                                                                                          Function 025409A8 Relevance: .1, Instructions: 113COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.3398481475.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_2540000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f09f9596a38735185e590f9f720c74f2f8ce88caf96bc4a0f39a07ccac50fb81
                                                                                          • Instruction ID: 75d4bcc3fa0fd32ed5c502e5bfdfade1078832056836085da13b86c29e5afed0
                                                                                          • Opcode Fuzzy Hash: f09f9596a38735185e590f9f720c74f2f8ce88caf96bc4a0f39a07ccac50fb81
                                                                                          • Instruction Fuzzy Hash: 7741B0307116428FDB1CAB36D81473EBAE6BF84648724593ED647C72D0EF20D941CB5A
                                                                                          Function 025409B8 Relevance: .1, Instructions: 112COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.3398481475.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_2540000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b2b7154bc361cd52af41535232074d08fb11fd3569a10c80ab28e19fe55ca60
                                                                                          • Instruction ID: c3a0f8d827ea27c3991dd7bbe66f4126ddb5ba0347ae3bbbf1bf6a48e456cec6
                                                                                          • Opcode Fuzzy Hash: 6b2b7154bc361cd52af41535232074d08fb11fd3569a10c80ab28e19fe55ca60
                                                                                          • Instruction Fuzzy Hash: 4D31A2307112429FDB1CBB76D81473EBAE6BF84648724592ED647C72C0EF20D881DB5A
                                                                                          Function 02541402 Relevance: .1, Instructions: 90COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.3398481475.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_2540000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b1199c49c1684b449efa2378ecdb864a687d1b0006f0c53fe6d73bb576329081
                                                                                          • Instruction ID: c14a8ca07475c43afecd0215dc78e9a6f9b02a879ad310fc5177405f4db36df6
                                                                                          • Opcode Fuzzy Hash: b1199c49c1684b449efa2378ecdb864a687d1b0006f0c53fe6d73bb576329081
                                                                                          • Instruction Fuzzy Hash: FB31BF70B012569FDB14EB788861A6EBBF2BFC9200B14816DE54ADB395DE319C01CB90
                                                                                          Function 02540DD9 Relevance: .1, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.3398481475.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_2540000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0b0be81e433a2b279e6f6a62766fb39d920227e8e7260859ab7ac12cd77085b4
                                                                                          • Instruction ID: 70895d861596f1fb7e8ddecc87b094784b07b79635ec8a27036e3582e02aef7e
                                                                                          • Opcode Fuzzy Hash: 0b0be81e433a2b279e6f6a62766fb39d920227e8e7260859ab7ac12cd77085b4
                                                                                          • Instruction Fuzzy Hash: 09319E31A00205DFDB18DF69C458B9EBBF2BF88304F2485AAE501AB3A1CB749D45CB94
                                                                                          Function 00CBD3B4 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.3398236110.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_cbd000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a6c53838c66b5eb98f0ae0b798b8ad93c527ea8aba2f62a035ff93d1f9b1092f
                                                                                          • Instruction ID: fbb654ca05dec23ddc71c59984a929f65babfd80b319f3e87d3d8a76507ad859
                                                                                          • Opcode Fuzzy Hash: a6c53838c66b5eb98f0ae0b798b8ad93c527ea8aba2f62a035ff93d1f9b1092f
                                                                                          • Instruction Fuzzy Hash: DB212571500200DFDB04DF14D9C0B56BF65FB94324F24C56DE90A0B256D336E856CFA2
                                                                                          Function 00CBD3AF Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.3398236110.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_cbd000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                          • Instruction ID: 227185cabc8941f13257f009f6300c52456fdf59819e168030473ece8b4e8b0a
                                                                                          • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                          • Instruction Fuzzy Hash: F311D376504280CFCB15CF10D5C4B56BF71FB94314F24C5A9D84A0B656C33AE95ACFA1
                                                                                          Function 02541508 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.3398481475.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_2540000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 07c5caa73fca149024c09f149abd89272d4e51b412dd793500a9a016d98741b3
                                                                                          • Instruction ID: 04730daddf0f92fd563569b372eea0df75308346f50dae6f14ef956e5d1bb3ba
                                                                                          • Opcode Fuzzy Hash: 07c5caa73fca149024c09f149abd89272d4e51b412dd793500a9a016d98741b3
                                                                                          • Instruction Fuzzy Hash: CC11AD74B01205DFCB54EBB8D9046AABBE6BF886047204879D40BDB358EE31DC41CB95
                                                                                          Function 025414F9 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.3398481475.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_2540000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b7252a8104189ecae4187fc42a0c24032e1d04d30abd69864e3a2f1a1e44f66c
                                                                                          • Instruction ID: a712988708e784e166abc9b4a6f8c527ecb16cee4c2875162da73585ec2f2270
                                                                                          • Opcode Fuzzy Hash: b7252a8104189ecae4187fc42a0c24032e1d04d30abd69864e3a2f1a1e44f66c
                                                                                          • Instruction Fuzzy Hash: AE11AC74B012429FCB50EB78E914AEABBF2AF89604714497DD40BD7359EB31CC41CB85
                                                                                          Function 02540F07 Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.3398481475.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_2540000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cadc5918c8be106e5d1ad3ccb54a0ecb1b0b2d16a2612cf148a0fb98cff91150
                                                                                          • Instruction ID: 589f7ef92f3ac30f90a44209f825908f6caaee93b3206796351ed188715a1a3a
                                                                                          • Opcode Fuzzy Hash: cadc5918c8be106e5d1ad3ccb54a0ecb1b0b2d16a2612cf148a0fb98cff91150
                                                                                          • Instruction Fuzzy Hash: D1F0FC307092804FC359AB79586459E3FE39FCA11032544FFF145CB3A2DD288C078361
                                                                                          Function 02540F48 Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.3398481475.0000000002540000.00000040.00000800.00020000.00000000.sdmp, Offset: 02540000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_2540000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1d6855c7dd602b3aa752bc8072034e23f29179681058153388ede86f80bd761a
                                                                                          • Instruction ID: a9ec14653cc93491938e03516011b9cb8901bbaba1e4f41a43f6916600284f80
                                                                                          • Opcode Fuzzy Hash: 1d6855c7dd602b3aa752bc8072034e23f29179681058153388ede86f80bd761a
                                                                                          • Instruction Fuzzy Hash: 74E08C313012004F83449A2EA88899AB7DAEBC853031408B9F109C7321CE60DC014290

                                                                                          Execution Graph

                                                                                          Execution Coverage:24.1%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:67
                                                                                          Total number of Limit Nodes:6
                                                                                          execution_graph 3443 2df0848 3444 2df084e 3443->3444 3445 2df0858 3444->3445 3447 2df261d 3444->3447 3448 2df2630 3447->3448 3452 2df50e8 3448->3452 3456 2df50e2 3448->3456 3449 2df2669 3449->3445 3453 2df50f4 3452->3453 3454 2df5107 3453->3454 3460 2df6786 3453->3460 3454->3449 3457 2df50e8 3456->3457 3458 2df5107 3457->3458 3459 2df6786 12 API calls 3457->3459 3458->3449 3459->3457 3461 2df67ad 3460->3461 3462 2df687a 3461->3462 3490 2df6b54 3461->3490 3494 2df6b60 3461->3494 3464 2df6ab8 3462->3464 3498 2df6f30 3462->3498 3502 2df6f38 3462->3502 3463 2df68d8 3463->3464 3506 2df6ff8 3463->3506 3509 2df6ff0 3463->3509 3464->3453 3465 2df690e 3513 2df70b8 3465->3513 3516 2df70b0 3465->3516 3466 2df694d 3466->3464 3520 2df7160 3466->3520 3524 2df7158 3466->3524 3467 2df69a1 3468 2df6a38 3467->3468 3482 2df7158 WriteProcessMemory 3467->3482 3483 2df7160 WriteProcessMemory 3467->3483 3480 2df7158 WriteProcessMemory 3468->3480 3481 2df7160 WriteProcessMemory 3468->3481 3469 2df6a61 3469->3464 3486 2df6f38 Wow64SetThreadContext 3469->3486 3487 2df6f30 Wow64SetThreadContext 3469->3487 3470 2df6aa5 3528 2df7230 3470->3528 3531 2df7238 3470->3531 3471 2df6ab6 3471->3453 3480->3469 3481->3469 3482->3467 3483->3467 3486->3470 3487->3470 3492 2df6bed CreateProcessAsUserA 3490->3492 3493 2df6e08 3492->3493 3496 2df6bed CreateProcessAsUserA 3494->3496 3497 2df6e08 3496->3497 3499 2df6f38 Wow64SetThreadContext 3498->3499 3501 2df6fbe 3499->3501 3501->3463 3503 2df6f80 Wow64SetThreadContext 3502->3503 3505 2df6fbe 3503->3505 3505->3463 3507 2df7040 ReadProcessMemory 3506->3507 3508 2df707d 3507->3508 3508->3465 3510 2df6ff8 ReadProcessMemory 3509->3510 3512 2df707d 3510->3512 3512->3465 3514 2df70fb VirtualAllocEx 3513->3514 3515 2df7132 3514->3515 3515->3466 3517 2df70b8 VirtualAllocEx 3516->3517 3519 2df7132 3517->3519 3519->3466 3521 2df71ab WriteProcessMemory 3520->3521 3523 2df71fc 3521->3523 3523->3467 3525 2df71ab WriteProcessMemory 3524->3525 3527 2df71fc 3525->3527 3527->3467 3529 2df7279 ResumeThread 3528->3529 3530 2df72a6 3529->3530 3530->3471 3532 2df7279 ResumeThread 3531->3532 3533 2df72a6 3532->3533 3533->3471

                                                                                          Executed Functions

                                                                                          Function 02DF6B54 Relevance: 1.8, APIs: 1, Instructions: 263processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 2df6b54-2df6bf9 2 2df6c4d-2df6c6f 0->2 3 2df6bfb-2df6c20 0->3 7 2df6cc6-2df6cf6 2->7 8 2df6c71-2df6c99 2->8 3->2 6 2df6c22-2df6c24 3->6 9 2df6c47-2df6c4a 6->9 10 2df6c26-2df6c30 6->10 16 2df6d4a-2df6e06 CreateProcessAsUserA 7->16 17 2df6cf8-2df6d1d 7->17 8->7 18 2df6c9b-2df6c9d 8->18 9->2 11 2df6c34-2df6c43 10->11 12 2df6c32 10->12 11->11 15 2df6c45 11->15 12->11 15->9 30 2df6e0f-2df6e83 16->30 31 2df6e08-2df6e0e 16->31 17->16 26 2df6d1f-2df6d21 17->26 19 2df6c9f-2df6ca9 18->19 20 2df6cc0-2df6cc3 18->20 21 2df6cad-2df6cbc 19->21 22 2df6cab 19->22 20->7 21->21 25 2df6cbe 21->25 22->21 25->20 28 2df6d44-2df6d47 26->28 29 2df6d23-2df6d2d 26->29 28->16 32 2df6d2f 29->32 33 2df6d31-2df6d40 29->33 42 2df6e85-2df6e89 30->42 43 2df6e93-2df6e97 30->43 31->30 32->33 33->33 34 2df6d42 33->34 34->28 42->43 44 2df6e8b-2df6e8e call 2df5fc4 42->44 45 2df6e99-2df6e9d 43->45 46 2df6ea7-2df6eab 43->46 44->43 45->46 48 2df6e9f-2df6ea2 call 2df5fc4 45->48 49 2df6ead-2df6eb1 46->49 50 2df6ebb-2df6ebf 46->50 48->46 49->50 54 2df6eb3-2df6eb6 call 2df5fc4 49->54 51 2df6ed1-2df6ed8 50->51 52 2df6ec1-2df6ec7 50->52 55 2df6eef 51->55 56 2df6eda-2df6ee9 51->56 52->51 54->50 59 2df6ef0 55->59 56->55 59->59
                                                                                          APIs
                                                                                          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02DF6DF3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000026.00000002.3969181631.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_38_2_2df0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcessUser
                                                                                          • String ID:
                                                                                          • API String ID: 2217836671-0
                                                                                          • Opcode ID: 085e00ee31292fd97c3206295bd564ddd8cefe81ae0d24fe6c3731d7b615353e
                                                                                          • Instruction ID: 482a599d5787e71700c812aa49344b9431761c23b1a071f7b81392dfaa291776
                                                                                          • Opcode Fuzzy Hash: 085e00ee31292fd97c3206295bd564ddd8cefe81ae0d24fe6c3731d7b615353e
                                                                                          • Instruction Fuzzy Hash: F7A14571E002198FEB50CF69C8417EDBBB6FF48304F1181A9E928A7790EB749985CF95
                                                                                          Function 02DF6B60 Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 60 2df6b60-2df6bf9 62 2df6c4d-2df6c6f 60->62 63 2df6bfb-2df6c20 60->63 67 2df6cc6-2df6cf6 62->67 68 2df6c71-2df6c99 62->68 63->62 66 2df6c22-2df6c24 63->66 69 2df6c47-2df6c4a 66->69 70 2df6c26-2df6c30 66->70 76 2df6d4a-2df6e06 CreateProcessAsUserA 67->76 77 2df6cf8-2df6d1d 67->77 68->67 78 2df6c9b-2df6c9d 68->78 69->62 71 2df6c34-2df6c43 70->71 72 2df6c32 70->72 71->71 75 2df6c45 71->75 72->71 75->69 90 2df6e0f-2df6e83 76->90 91 2df6e08-2df6e0e 76->91 77->76 86 2df6d1f-2df6d21 77->86 79 2df6c9f-2df6ca9 78->79 80 2df6cc0-2df6cc3 78->80 81 2df6cad-2df6cbc 79->81 82 2df6cab 79->82 80->67 81->81 85 2df6cbe 81->85 82->81 85->80 88 2df6d44-2df6d47 86->88 89 2df6d23-2df6d2d 86->89 88->76 92 2df6d2f 89->92 93 2df6d31-2df6d40 89->93 102 2df6e85-2df6e89 90->102 103 2df6e93-2df6e97 90->103 91->90 92->93 93->93 94 2df6d42 93->94 94->88 102->103 104 2df6e8b-2df6e8e call 2df5fc4 102->104 105 2df6e99-2df6e9d 103->105 106 2df6ea7-2df6eab 103->106 104->103 105->106 108 2df6e9f-2df6ea2 call 2df5fc4 105->108 109 2df6ead-2df6eb1 106->109 110 2df6ebb-2df6ebf 106->110 108->106 109->110 114 2df6eb3-2df6eb6 call 2df5fc4 109->114 111 2df6ed1-2df6ed8 110->111 112 2df6ec1-2df6ec7 110->112 115 2df6eef 111->115 116 2df6eda-2df6ee9 111->116 112->111 114->110 119 2df6ef0 115->119 116->115 119->119
                                                                                          APIs
                                                                                          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02DF6DF3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000026.00000002.3969181631.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_38_2_2df0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcessUser
                                                                                          • String ID:
                                                                                          • API String ID: 2217836671-0
                                                                                          • Opcode ID: 7014be7419d63fb2dc619b161cc457989a7ae831e33cabf0ca62af5730f125cc
                                                                                          • Instruction ID: 5b880011e0919672dbb87e2a7ff91b2b6bb4bdfb709cb5559d04406aacbbb21d
                                                                                          • Opcode Fuzzy Hash: 7014be7419d63fb2dc619b161cc457989a7ae831e33cabf0ca62af5730f125cc
                                                                                          • Instruction Fuzzy Hash: 2FA13571E002198FEB50CF69C8417EDBBB6FF48304F1181A9E928A7790EB749985CF95
                                                                                          Function 02DF7160 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 228 2df7160-2df71b1 230 2df71b3-2df71bf 228->230 231 2df71c1-2df71fa WriteProcessMemory 228->231 230->231 232 2df71fc-2df7202 231->232 233 2df7203-2df7224 231->233 232->233
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02DF71ED
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000026.00000002.3969181631.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_38_2_2df0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: 347566d94d15dcab87315a73f56c1f62786215a904f6f57d1b8bbae2e23fd497
                                                                                          • Instruction ID: de6b4f7ebf02ba63ddb464cfab8b758c3f085febf93eefdc25d85250f4051bcd
                                                                                          • Opcode Fuzzy Hash: 347566d94d15dcab87315a73f56c1f62786215a904f6f57d1b8bbae2e23fd497
                                                                                          • Instruction Fuzzy Hash: 3621E0B19002499FDB10CF9AD885BDEFBF4FB48310F10842AE918A7351D378A954CBA4
                                                                                          Function 02DF7158 Relevance: 1.6, APIs: 1, Instructions: 64injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 235 2df7158-2df71b1 237 2df71b3-2df71bf 235->237 238 2df71c1-2df71fa WriteProcessMemory 235->238 237->238 239 2df71fc-2df7202 238->239 240 2df7203-2df7224 238->240 239->240
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02DF71ED
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000026.00000002.3969181631.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_38_2_2df0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: ec206d2578c42bba2732ee74df876f803cff70703663b182476978a00423a575
                                                                                          • Instruction ID: 9140a754d9d73f7ef22bfd7a5567aa7f67c4dba4f305d86189d3f2ea1f4a8ec2
                                                                                          • Opcode Fuzzy Hash: ec206d2578c42bba2732ee74df876f803cff70703663b182476978a00423a575
                                                                                          • Instruction Fuzzy Hash: 6F2100B5900249DFDB00CFA9C985BDEBBF4BF48314F10842AE918A3351D378A954CBA4
                                                                                          Function 02DF6F30 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 242 2df6f30-2df6f84 245 2df6f86-2df6f8e 242->245 246 2df6f90-2df6fbc Wow64SetThreadContext 242->246 245->246 247 2df6fbe-2df6fc4 246->247 248 2df6fc5-2df6fe6 246->248 247->248
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02DF6FAF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000026.00000002.3969181631.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_38_2_2df0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: 2ec5c47ca7dd4d4ffec96ace40eaac472b9900de3c2b74f78c1abeba91b8102b
                                                                                          • Instruction ID: 4d98ed0cf71949ce4ac44e5f1248e1e37e1ca491c29553db30a3dca5df67b30a
                                                                                          • Opcode Fuzzy Hash: 2ec5c47ca7dd4d4ffec96ace40eaac472b9900de3c2b74f78c1abeba91b8102b
                                                                                          • Instruction Fuzzy Hash: 262127B1D0021A9FDB00CF9AC8857EEFBF8BB48614F11812AE518A3741D778A954CFA5
                                                                                          Function 02DF6FF0 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 250 2df6ff0-2df707b ReadProcessMemory 253 2df707d-2df7083 250->253 254 2df7084-2df70a5 250->254 253->254
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02DF706E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000026.00000002.3969181631.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_38_2_2df0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: 0cd7fc6250bb8be4cb31aaa4356c041c4bb851daab683826f7280f19eb10c310
                                                                                          • Instruction ID: c5a81b76284b4df2b3b49053cb3a61a169ad8d7ac042579293f4628e90858fb7
                                                                                          • Opcode Fuzzy Hash: 0cd7fc6250bb8be4cb31aaa4356c041c4bb851daab683826f7280f19eb10c310
                                                                                          • Instruction Fuzzy Hash: 8F21F7719002499FDB10CF9AC884BDEFBF5EF48320F108029E918A7751D379A954CFA5
                                                                                          Function 02DF6F38 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 256 2df6f38-2df6f84 258 2df6f86-2df6f8e 256->258 259 2df6f90-2df6fbc Wow64SetThreadContext 256->259 258->259 260 2df6fbe-2df6fc4 259->260 261 2df6fc5-2df6fe6 259->261 260->261
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02DF6FAF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000026.00000002.3969181631.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_38_2_2df0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: d592fa7dee0cf04518fcca2f3721093af7a5969b8c2fc29800c4126cf1156da9
                                                                                          • Instruction ID: dde94611b2df6bca140b6452c4a46789ee0b76a72bc493f5acf3f71a627f7d9d
                                                                                          • Opcode Fuzzy Hash: d592fa7dee0cf04518fcca2f3721093af7a5969b8c2fc29800c4126cf1156da9
                                                                                          • Instruction Fuzzy Hash: B92136B1D0021A9FDB00CF9AC8457DEFBF8BF48624F11812AE918A3340D378A954CFA5
                                                                                          Function 02DF6FF8 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 263 2df6ff8-2df707b ReadProcessMemory 265 2df707d-2df7083 263->265 266 2df7084-2df70a5 263->266 265->266
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02DF706E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000026.00000002.3969181631.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_38_2_2df0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: 17ce38a3dc73fbd0f51743f7aacf51c068379067ecc17ce5cfe1293543077ca8
                                                                                          • Instruction ID: 57c87344e29b317041a2431af1b3a09ece7fcaef0c28ed66b8841209ae7e5b90
                                                                                          • Opcode Fuzzy Hash: 17ce38a3dc73fbd0f51743f7aacf51c068379067ecc17ce5cfe1293543077ca8
                                                                                          • Instruction Fuzzy Hash: 0821F4719002499FDB10CF9AC844BDEFBF4EF48320F108029E918A7251D379A954CFA5
                                                                                          Function 02DF70B0 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 268 2df70b0-2df7130 VirtualAllocEx 271 2df7139-2df714d 268->271 272 2df7132-2df7138 268->272 272->271
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02DF7123
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000026.00000002.3969181631.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_38_2_2df0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: c5ff95adb1037dbeab72abe31b8a9c7de22d57b63f004354f1cfb155f61e777a
                                                                                          • Instruction ID: 52efde5b6ae7905cd5a4c0bc5feba49e562ed2e5f7eb38ee4ce462ced8863aa2
                                                                                          • Opcode Fuzzy Hash: c5ff95adb1037dbeab72abe31b8a9c7de22d57b63f004354f1cfb155f61e777a
                                                                                          • Instruction Fuzzy Hash: 941102B68002499FDB10CF9AC884BDEFBF4EB48324F208459EA18A7251C335A954CFA5
                                                                                          Function 02DF70B8 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 274 2df70b8-2df7130 VirtualAllocEx 276 2df7139-2df714d 274->276 277 2df7132-2df7138 274->277 277->276
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02DF7123
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000026.00000002.3969181631.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_38_2_2df0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 6cb8a16be8c2578d87e75842e18ce893c384fb9ff48a20147d479437dc185640
                                                                                          • Instruction ID: 88e7f64e823e3db8edd60265c0c06af560f7392c88af490c8d0e0b083ab3344d
                                                                                          • Opcode Fuzzy Hash: 6cb8a16be8c2578d87e75842e18ce893c384fb9ff48a20147d479437dc185640
                                                                                          • Instruction Fuzzy Hash: 9411E3B5900649DFDB10CF9AD884BDEFBF4EB48324F208459EA18A7250C375A954CFA5
                                                                                          Function 02DF7238 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 279 2df7238-2df72a4 ResumeThread 281 2df72ad-2df72c1 279->281 282 2df72a6-2df72ac 279->282 282->281
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000026.00000002.3969181631.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_38_2_2df0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: a27bba0aad5896ba7c87ec109b10075af4d2f2850b9ea371c59e2a9dcdb82833
                                                                                          • Instruction ID: efcc40e13d39b28e7a327c3bb7f9f475a5fe84139f893bf763c253ac4cc33887
                                                                                          • Opcode Fuzzy Hash: a27bba0aad5896ba7c87ec109b10075af4d2f2850b9ea371c59e2a9dcdb82833
                                                                                          • Instruction Fuzzy Hash: A41112B1800249CFEB10CF9AD444BDEFBF4EB88324F20845AD518A7350C775A944CFA5
                                                                                          Function 02DF7230 Relevance: 1.5, APIs: 1, Instructions: 42threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 284 2df7230-2df72a4 ResumeThread 286 2df72ad-2df72c1 284->286 287 2df72a6-2df72ac 284->287 287->286
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000026.00000002.3969181631.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_38_2_2df0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: 0362e5bf8b086ab5dbfb35a8309e1b662e4960fe9f25649795d95114100e14df
                                                                                          • Instruction ID: b151646f0b6ef012863b9a0f08575c55a70f555dae1fef72b3f65e86185afecf
                                                                                          • Opcode Fuzzy Hash: 0362e5bf8b086ab5dbfb35a8309e1b662e4960fe9f25649795d95114100e14df
                                                                                          • Instruction Fuzzy Hash: BC1100B5800249CFEB10CF99D545BDEFBF4AB48324F24845AD958A7350C378A944CFA5

                                                                                          Executed Functions

                                                                                          Function 012B0DE8 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000027.00000002.4005282428.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_39_2_12b0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: D@
                                                                                          • API String ID: 0-2222373746
                                                                                          • Opcode ID: 512c6037137e40ccc303bd06c461db6c86a109e1e88091217c7c127d43cb9a0a
                                                                                          • Instruction ID: ef13a1ba691434bebd213ce08deb0b6689a815ee31b8397cef00f323710ea439
                                                                                          • Opcode Fuzzy Hash: 512c6037137e40ccc303bd06c461db6c86a109e1e88091217c7c127d43cb9a0a
                                                                                          • Instruction Fuzzy Hash: 6F41C231B042058FDB15DF79D498A9EBBF2EF89300F1445AAE105EB3A1CA759C05CB95
                                                                                          Function 012B0F07 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000027.00000002.4005282428.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_39_2_12b0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: D@
                                                                                          • API String ID: 0-2222373746
                                                                                          • Opcode ID: 1c03fe5e1dcb0e1daf180a1eb6ecbf5ab35d1e30866661aa85cad63f327e4fdf
                                                                                          • Instruction ID: d837c7b9a8f9eeb3a4800164bdb2a232f1de1c19663483247d5d01723e55a772
                                                                                          • Opcode Fuzzy Hash: 1c03fe5e1dcb0e1daf180a1eb6ecbf5ab35d1e30866661aa85cad63f327e4fdf
                                                                                          • Instruction Fuzzy Hash: FAF0C8317092814FC3599779686559E2FE39FDA11032544FBE145DB3A2DD298C078366
                                                                                          Function 012B0B49 Relevance: .1, Instructions: 127COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000027.00000002.4005282428.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_39_2_12b0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: daeb5aa6e0f285cc2ad14ee3113868b75e5ab3cc54c9fa1ff2721d0b0c6c17e7
                                                                                          • Instruction ID: 0dcdec94e19c93f8ab4ec9b1daf7f81c271b8e7b790257bd7fe52d37480db9ba
                                                                                          • Opcode Fuzzy Hash: daeb5aa6e0f285cc2ad14ee3113868b75e5ab3cc54c9fa1ff2721d0b0c6c17e7
                                                                                          • Instruction Fuzzy Hash: DE51E739602242CFCB16FB34F8949697B72FB84305710866DD0229F3A9DB75994BCFA1
                                                                                          Function 012B1298 Relevance: .1, Instructions: 113COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000027.00000002.4005282428.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_39_2_12b0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 36a6b03b11f3f2c2e96c34436fa5dc2468e0e55e96aea89b6e41ea3c6c73af19
                                                                                          • Instruction ID: 73d2c9f4eeeb876da4c206895106e3035390d6b40f8ea5ccdb6093fed74553af
                                                                                          • Opcode Fuzzy Hash: 36a6b03b11f3f2c2e96c34436fa5dc2468e0e55e96aea89b6e41ea3c6c73af19
                                                                                          • Instruction Fuzzy Hash: 7D41C371E00249AFDB04DBB9D4546AEBFFAEF88300F24816DD409E7342DA349D428791
                                                                                          Function 012B09B8 Relevance: .1, Instructions: 112COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000027.00000002.4005282428.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_39_2_12b0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e722a653976116e4fe9e517ebfa05102f16ed0b78590d1a713981722117035a5
                                                                                          • Instruction ID: cb70c41da51cfafce0684ab39d79eabad3fb71db2b427a8e3474e7ddecd3cc4d
                                                                                          • Opcode Fuzzy Hash: e722a653976116e4fe9e517ebfa05102f16ed0b78590d1a713981722117035a5
                                                                                          • Instruction Fuzzy Hash: A531B4307216438FDB16AB7AA89467F7BB5FF407847104A2EE653D7280EF20C8418B69
                                                                                          Function 012B1402 Relevance: .1, Instructions: 90COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000027.00000002.4005282428.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_39_2_12b0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: da8dac0fee8dbcb9e537e555bf4287cd2aab93630861fdf195c767d6c76f6ca9
                                                                                          • Instruction ID: b45bb54650105e21fec05833ad59b40a9cee3c48022925a7b323a9b6e99ae394
                                                                                          • Opcode Fuzzy Hash: da8dac0fee8dbcb9e537e555bf4287cd2aab93630861fdf195c767d6c76f6ca9
                                                                                          • Instruction Fuzzy Hash: C531C130B012568FCB04EB7894A1A7EBBF2FF89300B1440ADE546EB395DE359C02C790
                                                                                          Function 012B0DD9 Relevance: .1, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000027.00000002.4005282428.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_39_2_12b0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3ad1d08c14a1e21a49a7175a7e90d453c79d730b98e7e7e8f9f77ec20816e3d2
                                                                                          • Instruction ID: b0b0476efc292508e95142123250e09f47a535635e0295c9e1985701cb339c21
                                                                                          • Opcode Fuzzy Hash: 3ad1d08c14a1e21a49a7175a7e90d453c79d730b98e7e7e8f9f77ec20816e3d2
                                                                                          • Instruction Fuzzy Hash: B2319C71A002058FDB15DF69C498B9EBBF2FF88300F1485AAE501AB3A2CB75DD45CB95
                                                                                          Function 012B10F8 Relevance: .1, Instructions: 77COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000027.00000002.4005282428.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_39_2_12b0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 04cfa26e8b575abc23dbcda4d0f8f5d384185a10cb9af31de5629add142d59a8
                                                                                          • Instruction ID: 4a3027da78ee38861c31a53d16e1999c75e9386991adeceff21adb89c1e6b383
                                                                                          • Opcode Fuzzy Hash: 04cfa26e8b575abc23dbcda4d0f8f5d384185a10cb9af31de5629add142d59a8
                                                                                          • Instruction Fuzzy Hash: 43216D34B205059FE714DBA9D994FAE7BF2FF88750F248158E502EB3A5CA719D01CB50
                                                                                          Function 00ECD3B4 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000027.00000002.4004473764.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_39_2_ecd000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f9c6dd9380d5b968b3386692cea456eee2995c621565c0693b7052e55ea302ab
                                                                                          • Instruction ID: 9176a29ea8dc71de8b723815db792ac48f48bf65ae75bb580cf21e2669c8f9fa
                                                                                          • Opcode Fuzzy Hash: f9c6dd9380d5b968b3386692cea456eee2995c621565c0693b7052e55ea302ab
                                                                                          • Instruction Fuzzy Hash: 0B212171508240DFDB08DF14DAC0F16BB65FB94328F20C57CEA095A246C337E857CAA2
                                                                                          Function 00ECD3AF Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000027.00000002.4004473764.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_39_2_ecd000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                          • Instruction ID: f63ccd1b445ace0ea18c94cc44b9759c4c151412fe22d9038a233237d41f2456
                                                                                          • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                          • Instruction Fuzzy Hash: 69119D76504280CFCB15CF10DAC4B16BF71FB94328F24C5A9D9494B656C33BE856CBA1
                                                                                          Function 012B14F9 Relevance: .1, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000027.00000002.4005282428.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_39_2_12b0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 539f770c57ae9d86834ae5c953f00d80519266f7cbda97baadc092bda747a509
                                                                                          • Instruction ID: a8d9968f7c2325b7ec3fc0f9578a30b6429919192d5c7d0f8a7712f318f98135
                                                                                          • Opcode Fuzzy Hash: 539f770c57ae9d86834ae5c953f00d80519266f7cbda97baadc092bda747a509
                                                                                          • Instruction Fuzzy Hash: F8110270B012428FCB04EBB8A8545AA7BF6EF8934071804BDD407DB399DA31CC42CB90
                                                                                          Function 012B1508 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000027.00000002.4005282428.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_39_2_12b0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a0c72c880c6621daa21b3f2fd0613e4a090565a34705c66f599277c570c84e41
                                                                                          • Instruction ID: b9e4075ba27c1cff2cf4aeb2394a0d17879f6bb60a61c99e4ec945a31fd9ded1
                                                                                          • Opcode Fuzzy Hash: a0c72c880c6621daa21b3f2fd0613e4a090565a34705c66f599277c570c84e41
                                                                                          • Instruction Fuzzy Hash: B911C074B01206CFCB54EBB9E8555AA7BE6EF883407140879D507DB398EA31DD42CB90
                                                                                          Function 012B0F48 Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000027.00000002.4005282428.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_39_2_12b0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b7f28134628028522893c8de7fd520b40535ff0a66c4bf777ae61662a16a191b
                                                                                          • Instruction ID: c57b972fce75b4815b1e160347a19955a29cd42fafb7f701afe666e6fca59c77
                                                                                          • Opcode Fuzzy Hash: b7f28134628028522893c8de7fd520b40535ff0a66c4bf777ae61662a16a191b
                                                                                          • Instruction Fuzzy Hash: D3E0C2323022004F83449A3EB88889BB7DAEFCC530314087AF109C7321CE70CC014390

                                                                                          Execution Graph

                                                                                          Execution Coverage:30.6%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:100
                                                                                          Total number of Limit Nodes:7
                                                                                          execution_graph 3509 11222d8 3510 11222f3 3509->3510 3514 1122353 3510->3514 3521 11225a6 3510->3521 3511 1122300 3515 112236a 3514->3515 3516 112239f 3514->3516 3515->3516 3528 1124fb8 3515->3528 3532 1124faa 3515->3532 3536 11250da 3515->3536 3516->3511 3517 1122669 3517->3511 3522 112236a 3521->3522 3523 112239f 3522->3523 3525 11250da 12 API calls 3522->3525 3526 1124faa 12 API calls 3522->3526 3527 1124fb8 12 API calls 3522->3527 3523->3511 3524 1122669 3524->3511 3525->3524 3526->3524 3527->3524 3529 1124fc9 3528->3529 3529->3517 3530 11250a2 3529->3530 3540 1126786 3529->3540 3530->3517 3533 1124fc9 3532->3533 3533->3517 3534 11250a2 3533->3534 3535 1126786 12 API calls 3533->3535 3534->3517 3535->3533 3537 11250f4 3536->3537 3537->3517 3538 1125107 3537->3538 3539 1126786 12 API calls 3537->3539 3538->3517 3539->3537 3541 11267ad 3540->3541 3542 112687a 3541->3542 3573 1126b60 3541->3573 3577 1126b54 3541->3577 3545 1126ab8 3542->3545 3581 1126f30 3542->3581 3585 1126f38 3542->3585 3543 11268d8 3543->3545 3589 1126ff0 3543->3589 3593 1126ff8 3543->3593 3544 112690e 3596 11270b0 3544->3596 3600 11270b8 3544->3600 3545->3529 3546 112694d 3547 112697a 3546->3547 3555 11270b0 VirtualAllocEx 3546->3555 3556 11270b8 VirtualAllocEx 3546->3556 3547->3545 3603 1127160 3547->3603 3607 1127158 3547->3607 3548 11269a1 3549 1126a38 3548->3549 3553 1127160 WriteProcessMemory 3548->3553 3554 1127158 WriteProcessMemory 3548->3554 3571 1127160 WriteProcessMemory 3549->3571 3572 1127158 WriteProcessMemory 3549->3572 3550 1126a61 3550->3545 3559 1126f30 Wow64SetThreadContext 3550->3559 3560 1126f38 Wow64SetThreadContext 3550->3560 3551 1126aa5 3611 1127238 3551->3611 3614 1127230 3551->3614 3552 1126ab6 3552->3529 3553->3548 3554->3548 3555->3547 3556->3547 3559->3551 3560->3551 3571->3550 3572->3550 3574 1126bed CreateProcessAsUserA 3573->3574 3576 1126e08 3574->3576 3576->3576 3578 1126bed CreateProcessAsUserA 3577->3578 3580 1126e08 3578->3580 3580->3580 3582 1126f38 Wow64SetThreadContext 3581->3582 3584 1126fbe 3582->3584 3584->3543 3586 1126f80 Wow64SetThreadContext 3585->3586 3588 1126fbe 3586->3588 3588->3543 3590 1126ff8 ReadProcessMemory 3589->3590 3592 112707d 3590->3592 3592->3544 3594 1127040 ReadProcessMemory 3593->3594 3595 112707d 3594->3595 3595->3544 3597 11270b8 VirtualAllocEx 3596->3597 3599 1127132 3597->3599 3599->3546 3601 11270fb VirtualAllocEx 3600->3601 3602 1127132 3601->3602 3602->3546 3604 11271ab WriteProcessMemory 3603->3604 3606 11271fc 3604->3606 3606->3548 3608 11271ab WriteProcessMemory 3607->3608 3610 11271fc 3608->3610 3610->3548 3612 1127279 ResumeThread 3611->3612 3613 11272a6 3612->3613 3613->3552 3615 1127279 ResumeThread 3614->3615 3616 11272a6 3615->3616 3616->3552 3617 1120848 3618 112084e 3617->3618 3619 1122353 12 API calls 3618->3619 3620 11225a6 12 API calls 3618->3620 3622 1120858 3618->3622 3624 112261d 3618->3624 3630 11225e8 3618->3630 3619->3622 3620->3622 3625 1122630 3624->3625 3627 11250da 12 API calls 3625->3627 3628 1124faa 12 API calls 3625->3628 3629 1124fb8 12 API calls 3625->3629 3626 1122669 3626->3622 3627->3626 3628->3626 3629->3626 3631 1122644 3630->3631 3632 11225fb 3630->3632 3634 11250da 12 API calls 3631->3634 3635 1124faa 12 API calls 3631->3635 3636 1124fb8 12 API calls 3631->3636 3633 1122669 3633->3622 3634->3633 3635->3633 3636->3633

                                                                                          Executed Functions

                                                                                          Function 01126B54 Relevance: 1.8, APIs: 1, Instructions: 263processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 1126b54-1126bf9 2 1126bfb-1126c20 0->2 3 1126c4d-1126c6f 0->3 2->3 8 1126c22-1126c24 2->8 6 1126c71-1126c99 3->6 7 1126cc6-1126cf6 3->7 6->7 18 1126c9b-1126c9d 6->18 16 1126d4a-1126e06 CreateProcessAsUserA 7->16 17 1126cf8-1126d1d 7->17 9 1126c26-1126c30 8->9 10 1126c47-1126c4a 8->10 13 1126c32 9->13 14 1126c34-1126c43 9->14 10->3 13->14 14->14 15 1126c45 14->15 15->10 30 1126e08-1126e0e 16->30 31 1126e0f-1126e83 16->31 17->16 25 1126d1f-1126d21 17->25 19 1126cc0-1126cc3 18->19 20 1126c9f-1126ca9 18->20 19->7 22 1126cab 20->22 23 1126cad-1126cbc 20->23 22->23 23->23 26 1126cbe 23->26 27 1126d23-1126d2d 25->27 28 1126d44-1126d47 25->28 26->19 32 1126d31-1126d40 27->32 33 1126d2f 27->33 28->16 30->31 42 1126e93-1126e97 31->42 43 1126e85-1126e89 31->43 32->32 34 1126d42 32->34 33->32 34->28 45 1126ea7-1126eab 42->45 46 1126e99-1126e9d 42->46 43->42 44 1126e8b-1126e8e call 1125fc4 43->44 44->42 49 1126ebb-1126ebf 45->49 50 1126ead-1126eb1 45->50 46->45 48 1126e9f-1126ea2 call 1125fc4 46->48 48->45 53 1126ed1-1126ed8 49->53 54 1126ec1-1126ec7 49->54 50->49 52 1126eb3-1126eb6 call 1125fc4 50->52 52->49 56 1126eda-1126ee9 53->56 57 1126eef 53->57 54->53 56->57 59 1126ef0 57->59 59->59
                                                                                          APIs
                                                                                          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 01126DF3
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000002F.00000002.4563585085.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_47_2_1120000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcessUser
                                                                                          • String ID:
                                                                                          • API String ID: 2217836671-0
                                                                                          • Opcode ID: e307a66dcb133466f98cc7296ff2b6f73839aa351ef6099264bd24d8b867a864
                                                                                          • Instruction ID: a4034a3e3eb30de8076d8d2d4fd82feeac75200de61fc0272616290bf7ff7b0c
                                                                                          • Opcode Fuzzy Hash: e307a66dcb133466f98cc7296ff2b6f73839aa351ef6099264bd24d8b867a864
                                                                                          • Instruction Fuzzy Hash: A4A18C70E002299FEB18DFA9C8417DDBBF2FF48304F0481A9E818A7280DB349995CF91
                                                                                          Function 01126B60 Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 60 1126b60-1126bf9 62 1126bfb-1126c20 60->62 63 1126c4d-1126c6f 60->63 62->63 68 1126c22-1126c24 62->68 66 1126c71-1126c99 63->66 67 1126cc6-1126cf6 63->67 66->67 78 1126c9b-1126c9d 66->78 76 1126d4a-1126e06 CreateProcessAsUserA 67->76 77 1126cf8-1126d1d 67->77 69 1126c26-1126c30 68->69 70 1126c47-1126c4a 68->70 73 1126c32 69->73 74 1126c34-1126c43 69->74 70->63 73->74 74->74 75 1126c45 74->75 75->70 90 1126e08-1126e0e 76->90 91 1126e0f-1126e83 76->91 77->76 85 1126d1f-1126d21 77->85 79 1126cc0-1126cc3 78->79 80 1126c9f-1126ca9 78->80 79->67 82 1126cab 80->82 83 1126cad-1126cbc 80->83 82->83 83->83 86 1126cbe 83->86 87 1126d23-1126d2d 85->87 88 1126d44-1126d47 85->88 86->79 92 1126d31-1126d40 87->92 93 1126d2f 87->93 88->76 90->91 102 1126e93-1126e97 91->102 103 1126e85-1126e89 91->103 92->92 94 1126d42 92->94 93->92 94->88 105 1126ea7-1126eab 102->105 106 1126e99-1126e9d 102->106 103->102 104 1126e8b-1126e8e call 1125fc4 103->104 104->102 109 1126ebb-1126ebf 105->109 110 1126ead-1126eb1 105->110 106->105 108 1126e9f-1126ea2 call 1125fc4 106->108 108->105 113 1126ed1-1126ed8 109->113 114 1126ec1-1126ec7 109->114 110->109 112 1126eb3-1126eb6 call 1125fc4 110->112 112->109 116 1126eda-1126ee9 113->116 117 1126eef 113->117 114->113 116->117 119 1126ef0 117->119 119->119
                                                                                          APIs
                                                                                          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 01126DF3
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000002F.00000002.4563585085.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_47_2_1120000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcessUser
                                                                                          • String ID:
                                                                                          • API String ID: 2217836671-0
                                                                                          • Opcode ID: 0afda35812f8b9422d224f72c276d7ab7b866332b0be6a8ac51ece4e69ec8670
                                                                                          • Instruction ID: dd895b1d4b0970d157635d2342f2a4bdd031a1cb81eb74895b18143c53a0bb5e
                                                                                          • Opcode Fuzzy Hash: 0afda35812f8b9422d224f72c276d7ab7b866332b0be6a8ac51ece4e69ec8670
                                                                                          • Instruction Fuzzy Hash: 82A17C70E002299FEB18DFA9C8517DDBBF2FF48304F1481A9E818A7290DB749995CF91
                                                                                          Function 01127158 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 273 1127158-11271b1 275 11271b3-11271bf 273->275 276 11271c1-11271fa WriteProcessMemory 273->276 275->276 277 1127203-1127224 276->277 278 11271fc-1127202 276->278 278->277
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 011271ED
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000002F.00000002.4563585085.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_47_2_1120000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: 25318b543f6fdbfd9b27fdc837d4048feb434c896ffaefa60c6e0fd85f326ca5
                                                                                          • Instruction ID: c6f8ef7d94f6471b6eac8e55b8bd7af33b6ef715d00f4102dd070f903e4a4881
                                                                                          • Opcode Fuzzy Hash: 25318b543f6fdbfd9b27fdc837d4048feb434c896ffaefa60c6e0fd85f326ca5
                                                                                          • Instruction Fuzzy Hash: F12100B5900359DFDB04CFA9C985BDEBBF5BF48310F10842AE918A7250D378A954CBA4
                                                                                          Function 01127160 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 280 1127160-11271b1 282 11271b3-11271bf 280->282 283 11271c1-11271fa WriteProcessMemory 280->283 282->283 284 1127203-1127224 283->284 285 11271fc-1127202 283->285 285->284
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 011271ED
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000002F.00000002.4563585085.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_47_2_1120000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: 7a91597ab93eb51368ff35f857461bd0bd7469963dcd78d293f74b6255c18bb2
                                                                                          • Instruction ID: f632f4d7a56971979ef642267d3871f26ca0b1277e983523d22d59079d10093f
                                                                                          • Opcode Fuzzy Hash: 7a91597ab93eb51368ff35f857461bd0bd7469963dcd78d293f74b6255c18bb2
                                                                                          • Instruction Fuzzy Hash: EE2112B1900359DFDB14CF9AC885BDEBBF5FF48310F10842AE918A7250D378A954CBA4
                                                                                          Function 01126F30 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 287 1126f30-1126f84 290 1126f90-1126fbc Wow64SetThreadContext 287->290 291 1126f86-1126f8e 287->291 292 1126fc5-1126fe6 290->292 293 1126fbe-1126fc4 290->293 291->290 293->292
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 01126FAF
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000002F.00000002.4563585085.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_47_2_1120000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: 6f3e8028650f32f47897da83d949873f2b7e0a82338fed095af31afa02f325cc
                                                                                          • Instruction ID: 0ecbabb1c13c76f164d8602a363974b57336f10d57178c49ce487b1ccecad908
                                                                                          • Opcode Fuzzy Hash: 6f3e8028650f32f47897da83d949873f2b7e0a82338fed095af31afa02f325cc
                                                                                          • Instruction Fuzzy Hash: 592147B19006199FDB04CFAAC485BEEFFF4BB48310F10812AE818A3240D778A914CFA5
                                                                                          Function 01126FF0 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 295 1126ff0-112707b ReadProcessMemory 298 1127084-11270a5 295->298 299 112707d-1127083 295->299 299->298
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0112706E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000002F.00000002.4563585085.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_47_2_1120000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: 240fe532d981f06196514180ec2e4e851738e8f8389dfae8028d644df054a26b
                                                                                          • Instruction ID: 9d7f84903d1477fa096fbff312caf64e6e3623eca4b764896450a229451270d9
                                                                                          • Opcode Fuzzy Hash: 240fe532d981f06196514180ec2e4e851738e8f8389dfae8028d644df054a26b
                                                                                          • Instruction Fuzzy Hash: 9F2127B59002499FDB10CFAAC484BDEFFF4EF48310F108029E958A7251D378A554CFA5
                                                                                          Function 01126F38 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 301 1126f38-1126f84 303 1126f90-1126fbc Wow64SetThreadContext 301->303 304 1126f86-1126f8e 301->304 305 1126fc5-1126fe6 303->305 306 1126fbe-1126fc4 303->306 304->303 306->305
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 01126FAF
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000002F.00000002.4563585085.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_47_2_1120000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: d055eaf74499e8cede26951a3f29f9ad1c5cce950ee040b5c920a9c067f4e881
                                                                                          • Instruction ID: f5c6d84a437666d552dce0cd91ca31c7e1b9495e32c3719034cc11f3f439608b
                                                                                          • Opcode Fuzzy Hash: d055eaf74499e8cede26951a3f29f9ad1c5cce950ee040b5c920a9c067f4e881
                                                                                          • Instruction Fuzzy Hash: 192106B1D0061A9FDB04CF9AC545BDEFBF4BB48610F50812AE918A7240D778A954CFA5
                                                                                          Function 01126FF8 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 308 1126ff8-112707b ReadProcessMemory 310 1127084-11270a5 308->310 311 112707d-1127083 308->311 311->310
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0112706E
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000002F.00000002.4563585085.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_47_2_1120000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: a38d97906fab24d7cf5a91e73d4f1f89535717b757db618595a31fb7e048f25e
                                                                                          • Instruction ID: 504bb5ab15af06e30beb203e54cbbb80cd495b341659932a2be8f7bedd910a1b
                                                                                          • Opcode Fuzzy Hash: a38d97906fab24d7cf5a91e73d4f1f89535717b757db618595a31fb7e048f25e
                                                                                          • Instruction Fuzzy Hash: 6921D3B5900249DFDB14CF9AC984BDEFBF4FB48320F108429E958A7250D379A954CFA5
                                                                                          Function 011270B0 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 313 11270b0-1127130 VirtualAllocEx 316 1127132-1127138 313->316 317 1127139-112714d 313->317 316->317
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01127123
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000002F.00000002.4563585085.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_47_2_1120000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 9251bedaf4dfc7a19bf53ad33957ccf72ba87ae89066b7bb138c6493605693e9
                                                                                          • Instruction ID: 590f5320cf2ec7af666d30c0865d60211872e6f0e160aab68a2ebac6b2bc467b
                                                                                          • Opcode Fuzzy Hash: 9251bedaf4dfc7a19bf53ad33957ccf72ba87ae89066b7bb138c6493605693e9
                                                                                          • Instruction Fuzzy Hash: E21102B58002599FDB10CF9AD885BDEBFF4EF88320F208419E918A7250C735A554CFA5
                                                                                          Function 011270B8 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 319 11270b8-1127130 VirtualAllocEx 321 1127132-1127138 319->321 322 1127139-112714d 319->322 321->322
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01127123
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000002F.00000002.4563585085.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_47_2_1120000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: a3507ffaf4051667a6c9c03aee8d0def65514ff15c88f966d5b3a65de2e21513
                                                                                          • Instruction ID: a93263f9ec45485239fd699af406ad77b10d5d671509663e4d3847b665e27d02
                                                                                          • Opcode Fuzzy Hash: a3507ffaf4051667a6c9c03aee8d0def65514ff15c88f966d5b3a65de2e21513
                                                                                          • Instruction Fuzzy Hash: 731110B5800259DFDB10CF9AC884BDEBFF4EF88320F208419E918A7250C335A954CFA4
                                                                                          Function 01127230 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 324 1127230-11272a4 ResumeThread 326 11272a6-11272ac 324->326 327 11272ad-11272c1 324->327 326->327
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000002F.00000002.4563585085.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_47_2_1120000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: 3c3aa6b76a23c949877055bbcc8d4fc712963b0d588e19c1edec25fd76d93916
                                                                                          • Instruction ID: fdee7d57e3f45545f04ab3367e494ec6d9253684a69ae2567b55e368c4099fbf
                                                                                          • Opcode Fuzzy Hash: 3c3aa6b76a23c949877055bbcc8d4fc712963b0d588e19c1edec25fd76d93916
                                                                                          • Instruction Fuzzy Hash: 281142B5800359CFDB10DF9AC585BDEBBF4AF48320F20881AE518B7240C378A544CFA5
                                                                                          Function 01127238 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 329 1127238-11272a4 ResumeThread 331 11272a6-11272ac 329->331 332 11272ad-11272c1 329->332 331->332
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000002F.00000002.4563585085.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_47_2_1120000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: 542ad77e3c011178f42967600b9a5ced5f6a2e6522b838d510ecf8356831f054
                                                                                          • Instruction ID: 17c743dba59096dfc48e79fbf5ff9aa34d724a304417faec1575289fedaba061
                                                                                          • Opcode Fuzzy Hash: 542ad77e3c011178f42967600b9a5ced5f6a2e6522b838d510ecf8356831f054
                                                                                          • Instruction Fuzzy Hash: F11112B5800249CFDB10DF9AD444BDEFBF4EB88324F20841AE518A7250C774A944CFA5

                                                                                          Executed Functions

                                                                                          Function 00CF0F89 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000030.00000002.4610858542.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_48_2_cf0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: d t
                                                                                          • API String ID: 0-2792223501
                                                                                          • Opcode ID: db5cd3ccc40d11d348d2b5cf6b3bb0f326ccd3ac63e52c9f6eb2d465db62ad8f
                                                                                          • Instruction ID: 47c5f39a912bca1d627c7ed065fe61b10c7676430723b628e8ba9e61b32cfb0f
                                                                                          • Opcode Fuzzy Hash: db5cd3ccc40d11d348d2b5cf6b3bb0f326ccd3ac63e52c9f6eb2d465db62ad8f
                                                                                          • Instruction Fuzzy Hash: DB418C30B105148FCB48EB69C458B6EBBE6AF89700F2580A9E906DB3A5CF71DC018B95
                                                                                          Function 00CF0B57 Relevance: .1, Instructions: 119COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000030.00000002.4610858542.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_48_2_cf0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 620c181e371b7d67d1aee9b00a4e52f578a6dea33fe47a19652a63b2b2acca2a
                                                                                          • Instruction ID: 920a86ed070c1444c3bf591efbe465c9dd1745e3e985569313a72ac14aecccfc
                                                                                          • Opcode Fuzzy Hash: 620c181e371b7d67d1aee9b00a4e52f578a6dea33fe47a19652a63b2b2acca2a
                                                                                          • Instruction Fuzzy Hash: F651B73A501206CFEB06FB38E844A5A7B63FB85B09710C668D5019B36DDB399A47CF91
                                                                                          Function 00CF09B8 Relevance: .1, Instructions: 112COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000030.00000002.4610858542.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_48_2_cf0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7c7f5c98c59de069d3e658d01a1af5c8edb20f7e840a5bcb6bb22ee67bdb4062
                                                                                          • Instruction ID: b68939c8e8a235e3dd302bfb0062ec219004c2280e925c3b21c34a389cfff5f5
                                                                                          • Opcode Fuzzy Hash: 7c7f5c98c59de069d3e658d01a1af5c8edb20f7e840a5bcb6bb22ee67bdb4062
                                                                                          • Instruction Fuzzy Hash: 2631933071174A8FEB94AB79981433E7AA6AF41F04720882DDA57C7256EF24CE41AB53
                                                                                          Function 00CF09B4 Relevance: .1, Instructions: 108COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000030.00000002.4610858542.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_48_2_cf0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8f73fb1e536a0611d8dfb9c2ba59a1cfc9781ccd4a847587ccb83c7efe40fd14
                                                                                          • Instruction ID: c6af6a1adf9941607de9cc389b724f47a3355d5ccfd6187113e40befe62312b4
                                                                                          • Opcode Fuzzy Hash: 8f73fb1e536a0611d8dfb9c2ba59a1cfc9781ccd4a847587ccb83c7efe40fd14
                                                                                          • Instruction Fuzzy Hash: D73195307017498FEB94AB79981433E7AA6BB41F04720843DDA57C7256EF24CE41DB52
                                                                                          Function 00CF0DE8 Relevance: .1, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000030.00000002.4610858542.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_48_2_cf0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6d3f6906e3c212aed801ad86705b968969cbf24347bde9384d018f3e7058b495
                                                                                          • Instruction ID: 0b181ad7fc9562964ed4a3ea68244325c90a0b1ba1b9cebd05fc5e9c69ff836e
                                                                                          • Opcode Fuzzy Hash: 6d3f6906e3c212aed801ad86705b968969cbf24347bde9384d018f3e7058b495
                                                                                          • Instruction Fuzzy Hash: AA319371A002098FDB14DF69C458BADBBF2BF88300F248569E501AB3A2CB749D45CB61
                                                                                          Function 00CF140F Relevance: .1, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000030.00000002.4610858542.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_48_2_cf0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 801113cf869f0c95a1fae0407bdacdda1c00b77a9281d849745226e4b0789169
                                                                                          • Instruction ID: d05b9f39ca2add94a1fa8b112b22f389e5d4c9721b8356daa1b4f810b65993aa
                                                                                          • Opcode Fuzzy Hash: 801113cf869f0c95a1fae0407bdacdda1c00b77a9281d849745226e4b0789169
                                                                                          • Instruction Fuzzy Hash: 9A21BF30B011568FDB58EB798851A7EBBF2BFC9300B18416DE606DB395DE30CD018B90
                                                                                          Function 00CF0DE1 Relevance: .1, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000030.00000002.4610858542.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_48_2_cf0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dfadf6cc9260691cf7b118cdc909ffa92aaef4b78b83ddae7f5b5467d716adb2
                                                                                          • Instruction ID: 3fc0e9d9246a230d7eacff2f0abc5b7f582c8c1524784a02a2456639d4a547f6
                                                                                          • Opcode Fuzzy Hash: dfadf6cc9260691cf7b118cdc909ffa92aaef4b78b83ddae7f5b5467d716adb2
                                                                                          • Instruction Fuzzy Hash: F1318E71A00209CFDB14DF69C458BAEBBF2BF88300F248569E501AB3A2CB75DD45CB91
                                                                                          Function 00C9D3B4 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000030.00000002.4610415242.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_48_2_c9d000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dc21fe4f686e6103e190b16672e97950995ce2e743a5e805f1536a8ec6fb89ec
                                                                                          • Instruction ID: 75e4685f8394a40e9b5a3e832d5f38bf5526a87f15a1d719449bcd5d3bdd91b3
                                                                                          • Opcode Fuzzy Hash: dc21fe4f686e6103e190b16672e97950995ce2e743a5e805f1536a8ec6fb89ec
                                                                                          • Instruction Fuzzy Hash: C4212571500200EFDF04DF14D9C8B26BF65FB94314F20C56DE90A1B256C336E856CBA2
                                                                                          Function 00CF130F Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000030.00000002.4610858542.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_48_2_cf0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fb5972fb2df708a1d4124e4778f6a3aa55b0eea5f893457f17f4084732bd0220
                                                                                          • Instruction ID: 814fd05028150181648f4b87a7daa2e9742938222cb55b93a4a9eba7b0221004
                                                                                          • Opcode Fuzzy Hash: fb5972fb2df708a1d4124e4778f6a3aa55b0eea5f893457f17f4084732bd0220
                                                                                          • Instruction Fuzzy Hash: 6711B474B002499FDB44ABBD881936E7AEAEFC8740B20442DD50AD3396DE348C0147A1
                                                                                          Function 00CF1310 Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000030.00000002.4610858542.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_48_2_cf0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d68e3e49ea4f17d2181a73c675156220e76e309fbbb5e58ffb365ba8e9078ba1
                                                                                          • Instruction ID: c2a3f0e76b31ab3310cd66d911bf996ed589f545d9b2e538e9fc0a68efb36ca1
                                                                                          • Opcode Fuzzy Hash: d68e3e49ea4f17d2181a73c675156220e76e309fbbb5e58ffb365ba8e9078ba1
                                                                                          • Instruction Fuzzy Hash: 71119375B002599FDB48ABBE881936EBAEEEFC9740F20442DD50AD7396DE34CC0157A1
                                                                                          Function 00C9D3AF Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000030.00000002.4610415242.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_48_2_c9d000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                          • Instruction ID: 1c9c1612507dad20b7283700e4ae8a826e7353168bb62858f26f8952279e7542
                                                                                          • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                          • Instruction Fuzzy Hash: 3011D376504280CFCF15CF10D5C4B16BF71FB94314F24C5A9D84A1B656C33AE956CBA1
                                                                                          Function 00CF1508 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000030.00000002.4610858542.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_48_2_cf0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: aaddc5ec5f393d532ce1387224d15005a56aa559fb14b393a0d0bef874a554b9
                                                                                          • Instruction ID: ce6cf045f22be1e50ffe6ef950d8a83393995054385efd1e4d27d8f3adb52e2a
                                                                                          • Opcode Fuzzy Hash: aaddc5ec5f393d532ce1387224d15005a56aa559fb14b393a0d0bef874a554b9
                                                                                          • Instruction Fuzzy Hash: 7111ED30B00209CFCB44EBBDD80466A7BE6AF886007144839D807DB358EA35DC01DB81
                                                                                          Function 00CF1507 Relevance: .0, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000030.00000002.4610858542.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_48_2_cf0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 439d90ac08ecc6a0f17cbda944fc56be1648861cfe9f8167c2c7ad3e9c38306b
                                                                                          • Instruction ID: e2c255d02769c253f7a2d723e44559a43e9dfeebb3bebedc3ce732a13b1bbd32
                                                                                          • Opcode Fuzzy Hash: 439d90ac08ecc6a0f17cbda944fc56be1648861cfe9f8167c2c7ad3e9c38306b
                                                                                          • Instruction Fuzzy Hash: 2401A971B01205CFCB54EBB9D814AAE7BE2AF88600714487DD807DB358EA35CD01DB81
                                                                                          Function 00CF0F3F Relevance: .0, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000030.00000002.4610858542.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_48_2_cf0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8e739bcd405dad21bc1d1f7dd5e73a3d485545042d6fdea1eea4c74667d80b6c
                                                                                          • Instruction ID: 88ffc21fda71ee5165c38ac1d08ca1628cecd5d8eaa08a93ae7a86fc5598bda6
                                                                                          • Opcode Fuzzy Hash: 8e739bcd405dad21bc1d1f7dd5e73a3d485545042d6fdea1eea4c74667d80b6c
                                                                                          • Instruction Fuzzy Hash: 63E046357051414FC7989A79A8D89EA7BE6EBCA22832549BAF009CB762CA618C078751
                                                                                          Function 00CF0F48 Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000030.00000002.4610858542.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_48_2_cf0000_RemoteDestopManagerx86.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4f7b871a615101a7b544cffc40b1e3d0613c77023d82e633e3c062857d460306
                                                                                          • Instruction ID: a4c27326f0ef279187c48e5120dd42f56d968dc32e4ce7281348f38eb09c5620
                                                                                          • Opcode Fuzzy Hash: 4f7b871a615101a7b544cffc40b1e3d0613c77023d82e633e3c062857d460306
                                                                                          • Instruction Fuzzy Hash: 7BE0C2313012005F83449A3EA88899FB7DAEFCD5343154879F109C7321CE60CC014390