Windows Analysis Report
SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Analysis ID: 1446230
MD5: 91222ab87d00d9ebff53a1b275760a49
SHA1: 3870e1c16c22984f21f113794666ed6b9bb1b0dd
SHA256: e4221b52d7918432b4d0f2a520d46a2bc4594beb2d67c53c60038f05fefa0f59
Tags: exe
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Binary contains a suspicious time stamp
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://autodiscover.com/autodiscover/autodiscover.xml URL Reputation: Label: phishing
Antivirus detection for dropped file
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe Avira: detection malicious, Label: HEUR/AGEN.1363959
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe ReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.4% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cpl Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dll Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\glib-lite.dll Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\gstreamer-lite.dll Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dll Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dll Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\eula.dll Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\deploy\plugin\npdeployJava1\obj\npdeployJava1.pdb source: npdeployJava1.dll.1.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\outlook\x-none\mapiph.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MAPIPH.DLL.1.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\lync.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: lync.exe.1.dr
Source: Binary string: MpDetoursCopyAccelerator.pdb source: MpDetoursCopyAccelerator.dll.1.dr
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\dbs\el\omr\target\x86\ship\outlook\x-none\mspst32.pdb source: MSPST32.DLL.1.dr
Source: Binary string: D:\T\BuildResults\bin\Release\AcrobatExe.pdb source: Acrobat.exe.1.dr
Source: Binary string: symsrv.pdb source: 393A.tmp, 00000001.00000003.2285614223.0000000001483000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2244269952.0000000001483000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\dbs\el\omr\target\x86\ship\outlook\x-none\mapiph.pdb source: MAPIPH.DLL.1.dr
Source: Binary string: MpDetours.pdb source: MpDetours.dll.1.dr
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpDetours.pdbGCTL source: MpDetours.dll.1.dr
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpDetoursCopyAccelerator.pdbGCTL source: MpDetoursCopyAccelerator.dll.1.dr
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\dbs\el\omr\target\x86\ship\outlook\x-none\mspst32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSPST32.DLL.1.dr
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: P:\Target\x86\ship\setupexe\x-none\setup.pdbtup.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Source: Binary string: Unable to locate the .pdb file in this location source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdb.dbg source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\lync.pdb source: lync.exe.1.dr
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 393A.tmp, 00000001.00000003.2242665140.0000000001456000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symsrv.pdbGCTL source: 393A.tmp, 00000001.00000003.2285614223.0000000001483000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2244269952.0000000001483000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: P:\Target\x86\ship\setupexe\x-none\setup.pdb source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2ssv\obj\jp2ssv.pdb source: jp2ssv.dll.1.dr
Source: Binary string: or you do not have access permission to the .pdb location. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\deploy\plugin\npdeployJava1\obj\npdeployJava1.pdbe source: npdeployJava1.dll.1.dr
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tup.pdb source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdb source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\dbs\sh\odct\1105_210049_0\client\onedrive\Setup\Standalone\exe\obj\i386\OneDriveSetup.pdb source: 393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdbGCTL source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL32.DllA\libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mce_office.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPST32.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\JitV.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSAEXP30.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\OUTLVBA.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\msedgeupdate.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\onmain.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocogl.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VVIEWER.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SHAREPOINTPROVIDER.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocpptview.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CONVERT\TRANSMGR.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DLGSETP.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\RECALL.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLMAPI32.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\EBWebView\x86\EmbeddedBrowserWebView.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Mozilla Firefox\uninstall\helper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\wsdetect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPUB.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLMIME.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_bho.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLKFSTUB.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\UmOutlookAddin.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EntityPicker.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\protocolhandler.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OIMG.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\splashscreen.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OutlookWebHost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Psom.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\deployJava1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AGM.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OMICAUT.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Appshapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lyncDesktopViewModel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msipc\msipc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OWSCLT.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-inv16\sqmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jdwp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PUBCONV.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPCORE.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VISSHE.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AutoHelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MIMEDIR.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\appshvw.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mce.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sqmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetours.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\cpprestsdk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mip_pdf_sdk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\ACE.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\plugin2\npjp2.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office15\pidgenx.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\eula.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Uc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SOCIALPROVIDER.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msvcr120.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIANEXT.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SEQCHK10.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSRTEDIT.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\goopdate.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Tec.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2ssv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Client\concrt140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OsfTaskengine.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\STSCOPY.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SOA.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UCAddin.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\MSVCR71.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLVBS.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WWLIB.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSPECTRE.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAME.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jfxwebkit.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEAWSDC.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\roottools.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EMSMDB32.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIA.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACEDAO.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONFILTER.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\appshcom.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\concrt140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\v8jsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CONVERT\RM.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\RTC.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl32.DllA\OpenSSL32.DllA\libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Win32MsgQueue.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat32OL.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PSTPRX32.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLFLTR.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javafx_font.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\1033\XLSLICER.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\scdec.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcOffice.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLCTL.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Client\msvcr120.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLPH.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MAPIPH.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocrec.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIBUtils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msvcr110.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VVIEWDWG.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\atl110.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Client\mfc140u.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\pdf2text.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\deploy.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\appsharingmediaprovider.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\management.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIB.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller\pidgenx.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\MSVCR120.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MeetingJoinAxOC.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CONTAB32.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mfc140u.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBCTRAC.DLL Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_00404A94 FindFirstFileExA, 0_2_00404A94
Source: MAPIPH.DLL.1.dr String found in binary or memory: http:///api/v1/query127.0.0.1:8043ModuleUnknown
Source: MSPST32.DLL.1.dr String found in binary or memory: http://127.0.0.1:8043
Source: MSACCESS.EXE.1.dr String found in binary or memory: http://127.0.0.1;LIST=;VIEW=dBASE
Source: lync.exe.1.dr String found in binary or memory: http://CurrentVersion.htmLync16LyncClassesSoftwareMicrosoftIM
Source: MSACCESS.EXE.1.dr String found in binary or memory: http://UserName.htm.htmlInterfaceExcelOutlookPowerPointWordInternet
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/Di
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 393A.tmp, 00000001.00000003.2281492148.000000000136C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 393A.tmp, 00000001.00000003.2281492148.000000000136C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: 393A.tmp, 00000001.00000003.2281492148.000000000136C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: helper.exe.1.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.di
Source: 393A.tmp, 00000001.00000003.2281492148.000000000136C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: 393A.tmp, 00000001.00000003.2281492148.000000000136C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: 393A.tmp, 00000001.00000003.2281492148.000000000136C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0~
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
Source: npdeployJava1.dll.1.dr String found in binary or memory: https://HTTP/1.1GETSRange:
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aefd.nel
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.000000000137B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2#HY
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2#Rengiame
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2%Ons
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2%We
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2(
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2(Na-akwadobe
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2(PY
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2)
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2)Vi
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2-
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2-9
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2.
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2.Rydyn
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac25
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2;Nous
Source: 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2PA
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2PA$Estamos
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2PA$Imakunatapas
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2PA%
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2PA%We
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2PA&C
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2PA(Pripremamo
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2PA1
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2PA1E
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2PA1OneDrive
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2PA3Ch
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AAbbac2PA3OneDrive
Source: lync.exe.1.dr String found in binary or memory: https://aka.ms/convergencefaq
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: 393A.tmp, 00000001.00000003.2285571122.0000000001A11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/ui.win32.js.map/d6bb35bc608af2672a5b746ba
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.com.br/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.com.br/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.com.cn/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.com.cn/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.com/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.com/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.es/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.es/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.fr/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.fr/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.in/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.in/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.it/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.it/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.online/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.online/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.sg/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.sg/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.uk/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.uk/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.xyz/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://autodiscover.xyz/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Acrobat.exe.1.dr String found in binary or memory: https://clients2.google.com/service/update2/crxupdate_urlBrowser
Source: 393A.tmp, 00000001.00000003.2285571122.0000000001A11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/generate_204
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: Acrobat.exe.1.dr String found in binary or memory: https://crbug.com/820996
Source: Acrobat.exe.1.dr String found in binary or memory: https://crbug.com/820996LaunchElevatedProcessXML
Source: 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
Source: 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
Source: 393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/1rewlive5skydrive/win81https://g.live.com/1rewlive5skydrive/win8https://g.live.co
Source: 393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/Enterprisehttps://g.live.com/odclientsettings/MsitFasthttps://g.
Source: 393A.tmp, 00000001.00000003.2285571122.0000000001A11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/react-native-community/react-native-netinfo
Source: MSACCESS.EXE.1.dr String found in binary or memory: https://globaldisco.crm.microsoftdynamics.us/https://make.gov.powerapps.us/environments/https://glob
Source: npdeployJava1.dll.1.dr String found in binary or memory: https://javadl-esd-secure.oracle.com/update/baseline.version%sURLOverrideSoftware
Source: npdeployJava1.dll.1.dr String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL%s?BundleId=%surl%s%stmp1.8%s.0https://javadl.oracl
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: MSACCESS.EXE.1.dr String found in binary or memory: https://make.powerapps.com/environments/ImexWiz
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/offic
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: AutoIt3Help.exe.1.dr String found in binary or memory: https://www.autoitscript.com/site/autoit/8
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_0058B588 0_2_0058B588
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_00583E73 0_2_00583E73
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_005832AB 0_2_005832AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_0057B6AA 0_2_0057B6AA
PE file contains executable resources (Code or Archives)
Source: Acrobat.exe.1.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: EmbeddedBrowserWebView.dll.1.dr Static PE information: Resource name: RT_VERSION type: Hitachi SH little-endian COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe, 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesetup.exeZ vs SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Binary or memory string: OriginalFilenamesetup.exeZ vs SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: 393A.tmp.0.dr Static PE information: Section: .data ZLIB complexity 0.9983910379955947
Source: Acrobat.exe.1.dr Binary string: r\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\4202392NtQueryObjectRtlNtStatusToDosErrorRtlCompareUnicodeString\Device\WinDFSCdmRedirectorVolume\Device\HarddiskVolumeDirectoryFileEventSectionKey<>:"\|?*Software\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDownbEnableSameObjectCheckbSupportRDSUPDSYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettingsUvhdEnabledbFilePathPreprocessingUseFileHandleEnabledbFilePathPreprocessingShortcutEnabled"GetFinalPathNameByHandleWGetVolumeInformationByHandleWGetVolumeInformationWacrolock%s%u.%u.%u.tmp%s%s%ssnacnp64.dllsnacnp.dll:\:/ADC4307573:$conprnauxnulcomlptshell:::\/:..NtQueryInformationFilewin\src\win_utils.ccSameKernelObject check failed: {100184D2-BDC3-477a-B8D3-65548B67914C}_%uLocal\Global\NtQueryVolumeInformationFileSYSTEM\CurrentControlSet\Control\Terminal ServerGlassSessionIduserenv.dllDeriveAppContainerSidFromAppContainerNameGetAppContainerFolderPathNtOpenDirectoryObjectGetAppContainerNamedObjectPath\Sessions\%d\%sNtQueryInformationProcess[ZoneTransfer]
Source: Acrobat.exe.1.dr Binary string: \\.\ko.%x.%x.%xSoftware\Classes\CLSID\{054AAE20-4BEA-4347-8A35-64A533254A9D}\LocalServer320123456789abcdef\Device\HarddiskVolume.
Source: Acrobat.exe.1.dr Binary string: \??\UNC\\\.\\Device\SftVol\ntdll.dllA:\Device\\\?\/?/UNC/\?\UNC\
Source: Acrobat.exe.1.dr Binary string: sbox_alternate_desktop_local_winstation_\??\\\?\\\?\UNC\\\.\\??\pipe\\??\mailslot\\/?/?\\Device\
Source: MpDetours.dll.1.dr Binary string: w\\.\\\?\UNC\\\?\\Device\Mup\\\
Source: Acrobat.exe.1.dr Binary string: C\\?\pipe\NGLWFPipe__INS:(ML;;NW;;;LW)D:P(A;;GA;;;OW)(A;;GA;;;AC)\\?\pipe\\Device\NamedPipe\win\src\named_pipe_policy.ccSameObject check failed: InitializeProcThreadAttributeListUpdateProcThreadAttributewin\src\process_thread_policy.ccCreateProcessWAction: STATUS_ACCESS_DENIEDapp name: command line: NtCreateProcessExntdll.dllNtSuspendProcessNtResumeProcessNtQuerySymbolicLinkObjectNtOpenSymbolicLinkObjectNtClose%d\Sessions\BNOLINKSNtCreateEventNtOpenEventwin\src\signed_policy.ccHandle AccessCheck failed:
Source: Acrobat.exe.1.dr Binary string: {A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0DC\InstallerENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdf{AC76BA86-0000-0000-7760-7E8A45000000}TrunkBetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.SOFTWARE\Google\Chrome\NativeMessagingHosts\Acrobat.Document.11.pdfcom.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj.VersionMajor{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\DC\InstallerLowerCoExVersionCoExRepairDone\RDCNotificationAppx\ADCNotificationAppx\NotificationAppxSOFTWARE\Adobe\Adobe Acrobat\\DC\SOFTWARE\Adobe\Adobe Acrobat\\DC\Installer\AppVersionAppVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionReleaseId/i msiexec.exe REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 IS_COEX_REPAIR=1 /qnBROADCASTCEFRELOAD=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 /qb\/\*cef_* CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /qn/i msiexec.exe ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exe ADDLOCAL=OptionalFeatures,DistillerCJKNative,DistillerCJKSupport,PaperCaptureOptional,PreFlightPlugin DISABLE_FIU_CHECK=1 TRANSITION_INSTALL_MODE=4 SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeAppDoNotTakePDFOwnershipAtLaunchSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithListMRUListAcrobat.exeMRUListAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\RtlGetVersionntdll.dllAdobe Systems, IncorporatedAdobe Inc.Adobe Systems Incorporated1.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1kernel32IsWow64ProcessSystem\CurrentControlSet\Control\CitrixProdu
Source: lync.exe.1.dr Binary or memory string: CSoftware\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Office\16.0\Lync\%sSoftware\Microsoft\Office\16.0\Lync\%s\LocationsSoftware\Microsoft\Office\16.0\Lync\%s\DSSoftware\Microsoft\Office\16.0\Lync\%sLYNCDSBkgndModeDSCLOSELSCONFDSBRANCHOFFICEWARNINGDSCLOSEIMDSCLOSEVOICEDSCLOSEVOICEVIDEODSCLOSEPBXDsCloseCallParkDSMultiModeCloseDSFTAndOthersCloseDSLogoutCloseConversationsDSPublishNumberTellSetDelegatesNoticeWindowRectWindowMaxIMWindowRectIMWindowWidthChatRoomIMWindowWidthMultiAVRoomIMWindowWidthMeetingLargeRoomIMWindowWidthMediumRoomIMWindowWidthSmallRoomIM Save DirectoryShowDirChangeMsgSoftware\Microsoft\Office\16.0\Lync\%s\GroupChatNewMessageRingtoneIndexHighImportanceRingtoneIndexNewMessageCustomeRingtoneFileNameHighImportanceCustomeRingtoneFileNameDontShowLocationWarningLocationsConversationsTabbedConversationFoldersPreferredGeometryDontShowCWCloseTabQueryFontFaceFontColorRefFontSizeIsApplyingToIncomingMessagesPassiveAuthUrlsLCCBLUIManagerLCCHiddenWindowClassLCCHiddenWindowClassTaskbarCreatedTaskbarButtonCreatedTryWindowsMsgrShutdownautomationembeddingfromrunkeyendorserSoftware\IM ProvidersDefaultIMAppurn:ietf:wg:oauth:2.0:ooburn:http-auth:PKeyAuth.ade,.adp,.app,.asp,.bas,.bat,.cer,.chm,.cmd,.com,.cpl,.crt,.csh,.exe,.fxp,.grp,.hlp,.hta,.inf,.ins,.isp,.its,.js,.jse,.ksh,.lnk,.mad,.maf,.mag,.mam,.maq,.mar,.mas,.mat,.mau,.mav,.maw,.mda,.mdb,.mde,.mdt,.mdw,.mdz,.msc,.msi,.msp,.mst,.ocx,.ops,.pcd,.pif,.pl,.pnp,.prf,.prg,.pst,.reg,.scf,.scr,.sct,.shb,.shs,.tmp,.url,.vb,.vbe,.vbs,.vsd,.vsmacros,.vss,.vst,.vsw,.ws,.wsc,.wsf,.wsh,.cnt,.der,.diagcab,.gadget,.hpj,.jar,.jnlp,.mcf,.msh,.msh1,.msh2,.msh1xml,.msh2xml,.mshxml,.msu,.osd,.plg,.printerexport, .ps1, .ps2, .ps1xml, .ps2xml, .psc1, .psc2, .psd1, .psdm1,.theme, .vbp, .webpnp, .website, .xbap, .xll, .xnk,LyncLync AttendeeSystem policy has disabled Lync ((HKCU/HKLM)Software\Policies\Microsoft\Office\Lync\PreventRun). Lync has shut down. * + ,
Source: classification engine Classification label: mal80.spre.winEXE@3/121@0/0
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Mutant created: \Sessions\1\BaseNamedObjects\GA2RZNbm
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe File created: C:\Users\user\AppData\Local\Temp\393A.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Command line argument: setup.dll 0_2_00401557
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Command line argument: WinMain 0_2_00401557
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: MSACCESS.EXE.1.dr Binary or memory string: SELECT [|3].* INTO [|1] IN '|2' FROM [|3]INSERT INTO [|1] IN '|2' SELECT [|3].* FROM [|3];XML\Transforms\ExportTransformsXML\Transforms\ImportTransformsIndex1yyyy|0;MAPILEVEL=|1;PROFILE=|2;TABLETYPE=|3HTML Import;IMEX=1;HDR=NO;CharacterSet=|0WSIDimex:ListPathimex:AdditionalDataimex:Column[not(@Width)]imex:Tableimex:AccessObject
Source: 393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 393A.tmp, 00000001.00000003.2277134741.0000000001464000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe ReversingLabs: Detection: 63%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Process created: C:\Users\user\AppData\Local\Temp\393A.tmp C:\Users\user\AppData\Local\Temp\393A.tmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Process created: C:\Users\user\AppData\Local\Temp\393A.tmp C:\Users\user\AppData\Local\Temp\393A.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Section loaded: setup.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Section loaded: sfc_os.dll Jump to behavior
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\deploy\plugin\npdeployJava1\obj\npdeployJava1.pdb source: npdeployJava1.dll.1.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\outlook\x-none\mapiph.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MAPIPH.DLL.1.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\lync.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: lync.exe.1.dr
Source: Binary string: MpDetoursCopyAccelerator.pdb source: MpDetoursCopyAccelerator.dll.1.dr
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\dbs\el\omr\target\x86\ship\outlook\x-none\mspst32.pdb source: MSPST32.DLL.1.dr
Source: Binary string: D:\T\BuildResults\bin\Release\AcrobatExe.pdb source: Acrobat.exe.1.dr
Source: Binary string: symsrv.pdb source: 393A.tmp, 00000001.00000003.2285614223.0000000001483000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2244269952.0000000001483000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\dbs\el\omr\target\x86\ship\outlook\x-none\mapiph.pdb source: MAPIPH.DLL.1.dr
Source: Binary string: MpDetours.pdb source: MpDetours.dll.1.dr
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpDetours.pdbGCTL source: MpDetours.dll.1.dr
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpDetoursCopyAccelerator.pdbGCTL source: MpDetoursCopyAccelerator.dll.1.dr
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\dbs\el\omr\target\x86\ship\outlook\x-none\mspst32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSPST32.DLL.1.dr
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: P:\Target\x86\ship\setupexe\x-none\setup.pdbtup.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Source: Binary string: Unable to locate the .pdb file in this location source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdb.dbg source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\lync.pdb source: lync.exe.1.dr
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 393A.tmp, 00000001.00000003.2242665140.0000000001456000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symsrv.pdbGCTL source: 393A.tmp, 00000001.00000003.2285614223.0000000001483000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2244269952.0000000001483000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: P:\Target\x86\ship\setupexe\x-none\setup.pdb source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2ssv\obj\jp2ssv.pdb source: jp2ssv.dll.1.dr
Source: Binary string: or you do not have access permission to the .pdb location. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\deploy\plugin\npdeployJava1\obj\npdeployJava1.pdbe source: npdeployJava1.dll.1.dr
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tup.pdb source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdb source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\dbs\sh\odct\1105_210049_0\client\onedrive\Setup\Standalone\exe\obj\i386\OneDriveSetup.pdb source: 393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdbGCTL source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: mfc140u.dll.1.dr Static PE information: 0xB68BCE5A [Tue Jan 18 22:34:02 2067 UTC]
PE file contains sections with non-standard names
Source: lync99.exe.1.dr Static PE information: section name: .c2r
Source: mce.dll.1.dr Static PE information: section name: .orpc
Source: mfc140u.dll.1.dr Static PE information: section name: .didat
Source: mip_pdf_sdk.dll.1.dr Static PE information: section name: .didat
Source: AGM.dll.1.dr Static PE information: section name: .didat
Source: msoadfsb.exe.1.dr Static PE information: section name: .detourc
Source: msoadfsb.exe.1.dr Static PE information: section name: .c2r
Source: VC_redist.x64.exe.1.dr Static PE information: section name: .wixburn
Source: MpDetours.dll.1.dr Static PE information: section name: .detourc
Source: MpDetours.dll.1.dr Static PE information: section name: .detourd
Source: MpDetoursCopyAccelerator.dll.1.dr Static PE information: section name: .detourc
Source: MpDetoursCopyAccelerator.dll.1.dr Static PE information: section name: .detourd
Source: Acrobat.exe.1.dr Static PE information: section name: .didat
Source: AcroPDFImpl.dll.1.dr Static PE information: section name: .orpc
Source: AppvIsvSubsystems32.dll.1.dr Static PE information: section name: .mrdata
Source: AppvIsvSubsystems32.dll.1.dr Static PE information: section name: .detourd
Source: AppvIsvSubsystems32.dll.1.dr Static PE information: section name: .detourc
Source: AppvIsvSubsystems32.dll.1.dr Static PE information: section name: .c2r
Source: AutoItX3.dll.1.dr Static PE information: section name: .orpc
Source: ie_to_edge_bho.dll.1.dr Static PE information: section name: .00cfg
Source: EmbeddedBrowserWebView.dll.1.dr Static PE information: section name: .00cfg
Source: EmbeddedBrowserWebView.dll.1.dr Static PE information: section name: .rodata
Source: EmbeddedBrowserWebView.dll.1.dr Static PE information: section name: CPADinfo
Source: EmbeddedBrowserWebView.dll.1.dr Static PE information: section name: malloc_h
Source: MicrosoftEdgeUpdateCore.exe.1.dr Static PE information: section name: .didat
Source: msedgeupdate.dll.1.dr Static PE information: section name: .didat
Source: AppVLP.exe.1.dr Static PE information: section name: .c2r
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_00401A38 push ecx; ret 0_2_00401A4B
Source: pidgenx.dll.1.dr Static PE information: section name: .text entropy: 6.827294297507493

Persistence and Installation Behavior
barindex
Drops executable to a common third party application directory
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\ACE.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AGM.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIB.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIBUtils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat32OL.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File written: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File written: C:\Program Files\Mozilla Firefox\uninstall\helper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL32.DllA\libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mce_office.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPST32.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\JitV.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSAEXP30.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\OUTLVBA.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\msedgeupdate.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\onmain.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocogl.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VVIEWER.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SHAREPOINTPROVIDER.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocpptview.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CONVERT\TRANSMGR.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DLGSETP.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\RECALL.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLMAPI32.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\EBWebView\x86\EmbeddedBrowserWebView.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Mozilla Firefox\uninstall\helper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\wsdetect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPUB.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLMIME.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_bho.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLKFSTUB.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\UmOutlookAddin.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EntityPicker.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\protocolhandler.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OIMG.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\splashscreen.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OutlookWebHost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Psom.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\deployJava1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AGM.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OMICAUT.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Appshapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lyncDesktopViewModel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msipc\msipc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OWSCLT.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-inv16\sqmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jdwp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PUBCONV.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPCORE.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VISSHE.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AutoHelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MIMEDIR.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\appshvw.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mce.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sqmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetours.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\cpprestsdk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mip_pdf_sdk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\ACE.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\plugin2\npjp2.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office15\pidgenx.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\eula.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Uc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SOCIALPROVIDER.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msvcr120.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIANEXT.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SEQCHK10.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSRTEDIT.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\goopdate.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Tec.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2ssv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Client\concrt140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OsfTaskengine.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\STSCOPY.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SOA.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UCAddin.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\MSVCR71.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLVBS.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WWLIB.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSPECTRE.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAME.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jfxwebkit.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEAWSDC.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\roottools.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EMSMDB32.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIA.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACEDAO.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONFILTER.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\appshcom.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\concrt140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\v8jsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CONVERT\RM.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\RTC.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl32.DllA\OpenSSL32.DllA\libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Win32MsgQueue.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat32OL.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PSTPRX32.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLFLTR.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javafx_font.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\1033\XLSLICER.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\scdec.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcOffice.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLCTL.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Client\msvcr120.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLPH.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MAPIPH.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocrec.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIBUtils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msvcr110.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VVIEWDWG.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\atl110.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Client\mfc140u.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\pdf2text.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\deploy.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\appsharingmediaprovider.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Java\jre-1.8\bin\management.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIB.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller\pidgenx.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\MSVCR120.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MeetingJoinAxOC.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CONTAB32.DLL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mfc140u.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmp System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBCTRAC.DLL Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\mce_office.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPST32.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSAEXP30.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\JitV.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\gstreamer-lite.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\msedgeupdate.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DLGSETP.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\jli.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\EBWebView\x86\EmbeddedBrowserWebView.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\Mozilla Firefox\uninstall\helper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\wsdetect.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPUB.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_bho.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EntityPicker.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\splashscreen.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Users\user\AppData\Local\Temp\wctFE34.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\deployJava1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AGM.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lyncDesktopViewModel.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Appshapi.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssv.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\glib-lite.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\jdwp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AIDE.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AutoHelper.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MIMEDIR.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\appshvw.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\mce.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetours.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\cpprestsdk.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\mip_pdf_sdk.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\ACE.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\plugin2\npjp2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office15\pidgenx.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\eula.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\7-Zip\7zCon.sfx Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIANEXT.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Google\Update\1.3.36.312\goopdate.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Cpprest141_2_10.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2ssv.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Client\concrt140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\hprof.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSPECTRE.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\7-Zip\7z.sfx Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\jfxwebkit.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEAWSDC.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EMSMDB32.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIA.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACEDAO.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXSEC32.DLL Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe File created: C:\Users\user\AppData\Local\Temp\393A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\appshcom.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\concrt140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cpl Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat32OL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\javafx_font.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2iexp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MLCFG32.CPL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Client\msvcr120.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MAPIPH.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIBUtils.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\atl110.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Client\mfc140u.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\deploy.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\jsdt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\appsharingmediaprovider.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\management.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIB.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller\pidgenx.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MeetingJoinAxOC.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CONTAB32.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\mfc140u.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetours.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MLCFG32.CPL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\7-Zip\7z.sfx Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files\7-Zip\7zCon.sfx Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cpl Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_00585718 rdtsc 0_2_00585718
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\mce_office.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPST32.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSAEXP30.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\JitV.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\gstreamer-lite.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\msedgeupdate.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DLGSETP.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jli.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\EBWebView\x86\EmbeddedBrowserWebView.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\uninstall\helper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\wsdetect.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPUB.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_bho.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EntityPicker.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\splashscreen.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wctFE34.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\deployJava1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AGM.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Appshapi.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lyncDesktopViewModel.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssv.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\glib-lite.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jdwp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AIDE.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AutoHelper.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MIMEDIR.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\appshvw.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\mce.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetours.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\cpprestsdk.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\mip_pdf_sdk.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\ACE.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\plugin2\npjp2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office15\pidgenx.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\eula.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\7-Zip\7zCon.sfx Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIANEXT.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\goopdate.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Cpprest141_2_10.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2ssv.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\concrt140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\hprof.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSPECTRE.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.sfx Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jfxwebkit.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEAWSDC.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EMSMDB32.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIA.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACEDAO.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXSEC32.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\concrt140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\appshcom.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cpl Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat32OL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javafx_font.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2iexp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MLCFG32.CPL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\msvcr120.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MAPIPH.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIBUtils.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\atl110.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\mfc140u.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jsdt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\deploy.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\appsharingmediaprovider.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\management.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIB.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller\pidgenx.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MeetingJoinAxOC.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CONTAB32.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\mfc140u.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_00404A94 FindFirstFileExA, 0_2_00404A94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_00409057 VirtualQuery,GetSystemInfo, 0_2_00409057
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 393A.tmp, 00000001.00000003.2285424655.00000000014B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Acrobat.exe.1.dr Binary or memory string: \Adobe\AdobeGCClient"\Adobe\AdobeGCClient\AGCInvokerUtility.exe\AGCInvokerUtility.exe --appID= --appVersion= --appProfileScope= --appPath=x-request-idROOT\CIMV2SELECT * FROM Win32_ComputerSystemWQLHypervisorPresentManufacturerModelVMwareVirtualBoxXenQEMUGoogleVirtualOpenStackSELECT * FROM Win32_ComputerSystemProductUUIDEC2lFnIsWow64Process2 not availablex64ARM64UnknownPROCESSOR_LEVELPROCESSOR_REVISION\\.\PhysicalDrive0%ProgramW6432%\Common FilesAdobe
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <V V="VMWare, Inc." T="W" />
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2285424655.00000000014B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware20,1
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 393A.tmp, 00000001.00000003.2282459793.0000000001A11000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 10/04/2023 15:50:56.369OFFICECL (0xe04)0x250Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 551, "Time": "2023-10-04T13:50:46Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "LFm9Ltrk4S277wbAA8Obddw+Rm4=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <V V="QEMU" T="W" />
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_00585718 rdtsc 0_2_00585718
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_0040417D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040417D
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_00401496 OutputDebugStringA,GetLastError, 0_2_00401496
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_0040369F mov eax, dword ptr fs:[00000030h] 0_2_0040369F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_00588138 mov eax, dword ptr fs:[00000030h] 0_2_00588138
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_00582380 mov eax, dword ptr fs:[00000030h] 0_2_00582380
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_00404410 GetProcessHeap, 0_2_00404410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_0040201E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040201E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_0040417D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040417D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_00401E25 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00401E25
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_00401F6D SetUnhandledExceptionFilter, 0_2_00401F6D
Source: lync.exe.1.dr Binary or memory string: KCMainFrame::RegisterCMainFrame::InitFlexCMainFrame::UpdateModifierKeyStatusCMainFrame::ProcessMenuHotkeyCMainFrame::GetMinimumWindowSizeCMainFrame::OnListenedInputSplitButtonAnchorAnchorPivotBarstickyButtonidLauncherRootidBuddyListTabidGroupEnvTabidConvEnvTabidPhoneEnvTabidMeetingEnvTabCMainFrame::UpdateSelectedItemsViewModelCMainFrame::OnActivateCMainFrame::UpdateUICMainFrame::GetSelectedItemsCMainFrame::UpdateSelectedItemsCMainFrame::CMainFrameCMainFrame::~CMainFrameCMainFrame::SaveSettingsCMainFrame::CreateCMainFrame::AnimateToOrFromTrayShell_TrayWndTrayNotifyWndCMainFrame::DestroyCMainFrame::HideToTrayCMainFrame::StartShutDownCMainFrame::OnCreateCMainFrame::OnCloseCMainFrame::OnSysCloseCMainFrame::OnDestroyCMainFrame::SetAlwaysOnTopCMainFrame::OnMessagelync\client\desktop\view\mainframe\infra\mainframe.cppCMainFrame::IsMainFrameUISuppressionOnCMainFrame::IsMainUISearchInputTextboxCMainFrame::CanDialPadHandleKeyEventCMainFrame::OnSessionChangedCMainFrame::OnUpdateOutageNotificationCMainFrame::OnSignedInCMainFrame::OnAboutToSignOutCMainFrame::FocusSearchInputCMainFrame::FocusBuddyListPaneCMainFrame::SetSearchInputBoilerplateShowingCMainFrame::FocusLocationEditCMainFrame::SwitchToMainWindowCMainFrame::UpdateWindowTitleCMainFrame::HandleAltUpDownCMainFrame::IsInGroupsViewCMainFrame::IsInRelationshipsViewCMainFrame::IsInStatusViewCMainFrame::IsKeyFocusWithinDialPadDigitsCMainFrame::IsInListViewCMainFrame::GetClientViewModelCMainFrame::GetMainUIViewModelCMainFrame::GetContactListViewModelCMainFrame::GetMainUIContextMenuViewModelCMainFrame::GetSelectedItemsViewModelCMainFrame::GetFocusedDGCMainFrame::GetFocusedGroupCMainFrame::GetGroupsViewModelCMainFrame::GetRelationshipsViewModelCMainFrame::GetStatusViewModelCMainFrame::GetGroupMoveUpCommandOfGroupsViewCMainFrame::GetGroupMoveDownCommandOfGroupsViewCMainFrame::GetGroupMoveUpCommandOfRelationshipsViewCMainFrame::GetGroupMoveDownCommandOfRelationshipsViewCMainFrame::GetGroupMoveUpCommandOfStatusViewCMainFrame::GetGroupMoveDownCommandOfStatusViewCMainFrame::DeferredCreateCMainFrame::HandleKeyForDialPadCMainFrame::NotifyCMainFrame::OnTabFrameManagerPropertyChanged0h
Source: Acrobat.exe.1.dr Binary or memory string: {A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0DC\InstallerENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdf{AC76BA86-0000-0000-7760-7E8A45000000}TrunkBetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.SOFTWARE\Google\Chrome\NativeMessagingHosts\Acrobat.Document.11.pdfcom.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj.VersionMajor{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\DC\InstallerLowerCoExVersionCoExRepairDone\RDCNotificationAppx\ADCNotificationAppx\NotificationAppxSOFTWARE\Adobe\Adobe Acrobat\\DC\SOFTWARE\Adobe\Adobe Acrobat\\DC\Installer\AppVersionAppVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionReleaseId/i msiexec.exe REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 IS_COEX_REPAIR=1 /qnBROADCASTCEFRELOAD=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 /qb\/\*cef_* CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /qn/i msiexec.exe ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exe ADDLOCAL=OptionalFeatures,DistillerCJKNative,DistillerCJKSupport,PaperCaptureOptional,PreFlightPlugin DISABLE_FIU_CHECK=1 TRANSITION_INSTALL_MODE=4 SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeAppDoNotTakePDFOwnershipAtLaunchSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithListMRUListAcrobat.exeMRUListAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\RtlGetVersionntdll.dllAdobe Systems, IncorporatedAdobe Inc.Adobe Systems Incorporated1.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1kernel32IsWow64ProcessSystem\CurrentControlSet\Control\CitrixProdu
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_0040213B cpuid 0_2_0040213B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe Code function: 0_2_00401D0E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00401D0E
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1446230 Sample: SecuriteInfo.com.Win32.Beet... Startdate: 23/05/2024 Architecture: WINDOWS Score: 80 23 Antivirus detection for URL or domain 2->23 25 Antivirus detection for dropped file 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 2 other signatures 2->29 6 SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe 1 2->6         started        process3 file4 13 C:\Users\user\AppData\Local\Temp\393A.tmp, PE32 6->13 dropped 9 393A.tmp 6->9         started        process5 file6 15 C:\Users\user\AppData\Local\...\wctFE34.tmp, PE32 9->15 dropped 17 C:\ProgramData\...\VC_redist.x64.exe, PE32 9->17 dropped 19 C:\...\MpDetoursCopyAccelerator.dll, PE32 9->19 dropped 21 117 other malicious files 9->21 dropped 31 Drops executable to a common third party application directory 9->31 33 Infects executable files (exe, dll, sys, html) 9->33 signatures7
No contacted IP infos