Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Analysis ID:1446230
MD5:91222ab87d00d9ebff53a1b275760a49
SHA1:3870e1c16c22984f21f113794666ed6b9bb1b0dd
SHA256:e4221b52d7918432b4d0f2a520d46a2bc4594beb2d67c53c60038f05fefa0f59
Tags:exe
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Binary contains a suspicious time stamp
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe (PID: 6184 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe" MD5: 91222AB87D00D9EBFF53A1B275760A49)
    • 393A.tmp (PID: 4836 cmdline: C:\Users\user\AppData\Local\Temp\393A.tmp MD5: C610E7CCD6859872C585B2A85D7DC992)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://autodiscover.com/autodiscover/autodiscover.xmlURL Reputation: Label: phishing
Antivirus detection for dropped file
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeAvira: detection malicious, Label: HEUR/AGEN.1363959
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cplJoe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dllJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dllJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\glib-lite.dllJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\gstreamer-lite.dllJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dllJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.dllJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dllJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\eula.dllJoe Sandbox ML: detected
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\deploy\plugin\npdeployJava1\obj\npdeployJava1.pdb source: npdeployJava1.dll.1.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\outlook\x-none\mapiph.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MAPIPH.DLL.1.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\lync.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: lync.exe.1.dr
Source: Binary string: MpDetoursCopyAccelerator.pdb source: MpDetoursCopyAccelerator.dll.1.dr
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\dbs\el\omr\target\x86\ship\outlook\x-none\mspst32.pdb source: MSPST32.DLL.1.dr
Source: Binary string: D:\T\BuildResults\bin\Release\AcrobatExe.pdb source: Acrobat.exe.1.dr
Source: Binary string: symsrv.pdb source: 393A.tmp, 00000001.00000003.2285614223.0000000001483000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2244269952.0000000001483000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\dbs\el\omr\target\x86\ship\outlook\x-none\mapiph.pdb source: MAPIPH.DLL.1.dr
Source: Binary string: MpDetours.pdb source: MpDetours.dll.1.dr
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpDetours.pdbGCTL source: MpDetours.dll.1.dr
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpDetoursCopyAccelerator.pdbGCTL source: MpDetoursCopyAccelerator.dll.1.dr
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\dbs\el\omr\target\x86\ship\outlook\x-none\mspst32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSPST32.DLL.1.dr
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: P:\Target\x86\ship\setupexe\x-none\setup.pdbtup.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Source: Binary string: Unable to locate the .pdb file in this location source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdb.dbg source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\lync.pdb source: lync.exe.1.dr
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 393A.tmp, 00000001.00000003.2242665140.0000000001456000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symsrv.pdbGCTL source: 393A.tmp, 00000001.00000003.2285614223.0000000001483000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2244269952.0000000001483000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: P:\Target\x86\ship\setupexe\x-none\setup.pdb source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2ssv\obj\jp2ssv.pdb source: jp2ssv.dll.1.dr
Source: Binary string: or you do not have access permission to the .pdb location. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\deploy\plugin\npdeployJava1\obj\npdeployJava1.pdbe source: npdeployJava1.dll.1.dr
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tup.pdb source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdb source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\dbs\sh\odct\1105_210049_0\client\onedrive\Setup\Standalone\exe\obj\i386\OneDriveSetup.pdb source: 393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdbGCTL source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp

Spreading

barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL32.DllA\libcrypto-1_1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mce_office.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPST32.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\JitV.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSAEXP30.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\OUTLVBA.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\msedgeupdate.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\onmain.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocogl.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VVIEWER.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SHAREPOINTPROVIDER.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocpptview.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CONVERT\TRANSMGR.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DLGSETP.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\RECALL.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLMAPI32.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\EBWebView\x86\EmbeddedBrowserWebView.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Mozilla Firefox\uninstall\helper.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\wsdetect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPUB.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLMIME.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_bho.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLKFSTUB.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\UmOutlookAddin.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EntityPicker.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\protocolhandler.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OIMG.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\splashscreen.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OutlookWebHost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Psom.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\deployJava1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AGM.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OMICAUT.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Appshapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lyncDesktopViewModel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msipc\msipc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OWSCLT.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-inv16\sqmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jdwp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PUBCONV.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPCORE.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VISSHE.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AutoHelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MIMEDIR.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\appshvw.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mce.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sqmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetours.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\cpprestsdk.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mip_pdf_sdk.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\ACE.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\plugin2\npjp2.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office15\pidgenx.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\eula.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Uc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SOCIALPROVIDER.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msvcr120.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIANEXT.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SEQCHK10.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSRTEDIT.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\goopdate.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Tec.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2ssv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\concrt140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OsfTaskengine.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\STSCOPY.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SOA.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UCAddin.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\MSVCR71.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLVBS.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WWLIB.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSPECTRE.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAME.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jfxwebkit.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEAWSDC.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\roottools.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EMSMDB32.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIA.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACEDAO.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONFILTER.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\appshcom.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\concrt140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\v8jsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CONVERT\RM.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\npdeployJava1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\RTC.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl32.DllA\OpenSSL32.DllA\libcrypto-1_1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Win32MsgQueue.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat32OL.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PSTPRX32.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLFLTR.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javafx_font.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\1033\XLSLICER.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\scdec.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcOffice.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLCTL.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\msvcr120.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLPH.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MAPIPH.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocrec.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIBUtils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msvcr110.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VVIEWDWG.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\atl110.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\mfc140u.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\pdf2text.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\deploy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\appsharingmediaprovider.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\management.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIB.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller\pidgenx.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\MSVCR120.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MeetingJoinAxOC.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CONTAB32.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mfc140u.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBCTRAC.DLLJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_00404A94 FindFirstFileExA,0_2_00404A94
Source: MAPIPH.DLL.1.drString found in binary or memory: http:///api/v1/query127.0.0.1:8043ModuleUnknown
Source: MSPST32.DLL.1.drString found in binary or memory: http://127.0.0.1:8043
Source: MSACCESS.EXE.1.drString found in binary or memory: http://127.0.0.1;LIST=;VIEW=dBASE
Source: lync.exe.1.drString found in binary or memory: http://CurrentVersion.htmLync16LyncClassesSoftwareMicrosoftIM
Source: MSACCESS.EXE.1.drString found in binary or memory: http://UserName.htm.htmlInterfaceExcelOutlookPowerPointWordInternet
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/Di
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 393A.tmp, 00000001.00000003.2281492148.000000000136C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 393A.tmp, 00000001.00000003.2281492148.000000000136C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: 393A.tmp, 00000001.00000003.2281492148.000000000136C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://https://_bad_pdb_file.pdb
Source: helper.exe.1.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.di
Source: 393A.tmp, 00000001.00000003.2281492148.000000000136C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: 393A.tmp, 00000001.00000003.2281492148.000000000136C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
Source: 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
Source: 393A.tmp, 00000001.00000003.2281492148.000000000136C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0~
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
Source: npdeployJava1.dll.1.drString found in binary or memory: https://HTTP/1.1GETSRange:
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aefd.nel
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.000000000137B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2#HY
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2#Rengiame
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2%Ons
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2%We
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2(
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2(Na-akwadobe
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2(PY
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2)
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2)Vi
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2-
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2-9
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2.
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2.Rydyn
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac25
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2;Nous
Source: 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2PA
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2PA$Estamos
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2PA$Imakunatapas
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2PA%
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2PA%We
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2PA&C
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2PA(Pripremamo
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2PA1
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2PA1E
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2PA1OneDrive
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2PA3Ch
Source: 393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/AAbbac2PA3OneDrive
Source: lync.exe.1.drString found in binary or memory: https://aka.ms/convergencefaq
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: 393A.tmp, 00000001.00000003.2285571122.0000000001A11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/ui.win32.js.map/d6bb35bc608af2672a5b746ba
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.com.br/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.com.br/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.com.cn/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.com.cn/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.com/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.com/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.es/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.es/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.fr/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.fr/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.in/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.in/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.it/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.it/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.online/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.online/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.sg/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.sg/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.uk/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.uk/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.xyz/Autodiscover/Autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover.xyz/autodiscover/autodiscover.xml
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Acrobat.exe.1.drString found in binary or memory: https://clients2.google.com/service/update2/crxupdate_urlBrowser
Source: 393A.tmp, 00000001.00000003.2285571122.0000000001A11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/generate_204
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: Acrobat.exe.1.drString found in binary or memory: https://crbug.com/820996
Source: Acrobat.exe.1.drString found in binary or memory: https://crbug.com/820996LaunchElevatedProcessXML
Source: 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
Source: 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
Source: 393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/win81https://g.live.com/1rewlive5skydrive/win8https://g.live.co
Source: 393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Enterprisehttps://g.live.com/odclientsettings/MsitFasthttps://g.
Source: 393A.tmp, 00000001.00000003.2285571122.0000000001A11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/react-native-community/react-native-netinfo
Source: MSACCESS.EXE.1.drString found in binary or memory: https://globaldisco.crm.microsoftdynamics.us/https://make.gov.powerapps.us/environments/https://glob
Source: npdeployJava1.dll.1.drString found in binary or memory: https://javadl-esd-secure.oracle.com/update/baseline.version%sURLOverrideSoftware
Source: npdeployJava1.dll.1.drString found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL%s?BundleId=%surl%s%stmp1.8%s.0https://javadl.oracl
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001390000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: MSACCESS.EXE.1.drString found in binary or memory: https://make.powerapps.com/environments/ImexWiz
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: 393A.tmp, 00000001.00000003.2281089832.000000000139C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
Source: 393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/offic
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: AutoIt3Help.exe.1.drString found in binary or memory: https://www.autoitscript.com/site/autoit/8
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
Source: 393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_0058B5880_2_0058B588
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_00583E730_2_00583E73
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_005832AB0_2_005832AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_0057B6AA0_2_0057B6AA
Source: Acrobat.exe.1.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: EmbeddedBrowserWebView.dll.1.drStatic PE information: Resource name: RT_VERSION type: Hitachi SH little-endian COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe, 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesetup.exeZ vs SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeBinary or memory string: OriginalFilenamesetup.exeZ vs SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: 393A.tmp.0.drStatic PE information: Section: .data ZLIB complexity 0.9983910379955947
Source: Acrobat.exe.1.drBinary string: r\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\4202392NtQueryObjectRtlNtStatusToDosErrorRtlCompareUnicodeString\Device\WinDFSCdmRedirectorVolume\Device\HarddiskVolumeDirectoryFileEventSectionKey<>:"\|?*Software\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDownbEnableSameObjectCheckbSupportRDSUPDSYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettingsUvhdEnabledbFilePathPreprocessingUseFileHandleEnabledbFilePathPreprocessingShortcutEnabled"GetFinalPathNameByHandleWGetVolumeInformationByHandleWGetVolumeInformationWacrolock%s%u.%u.%u.tmp%s%s%ssnacnp64.dllsnacnp.dll:\:/ADC4307573:$conprnauxnulcomlptshell:::\/:..NtQueryInformationFilewin\src\win_utils.ccSameKernelObject check failed: {100184D2-BDC3-477a-B8D3-65548B67914C}_%uLocal\Global\NtQueryVolumeInformationFileSYSTEM\CurrentControlSet\Control\Terminal ServerGlassSessionIduserenv.dllDeriveAppContainerSidFromAppContainerNameGetAppContainerFolderPathNtOpenDirectoryObjectGetAppContainerNamedObjectPath\Sessions\%d\%sNtQueryInformationProcess[ZoneTransfer]
Source: Acrobat.exe.1.drBinary string: \\.\ko.%x.%x.%xSoftware\Classes\CLSID\{054AAE20-4BEA-4347-8A35-64A533254A9D}\LocalServer320123456789abcdef\Device\HarddiskVolume.
Source: Acrobat.exe.1.drBinary string: \??\UNC\\\.\\Device\SftVol\ntdll.dllA:\Device\\\?\/?/UNC/\?\UNC\
Source: Acrobat.exe.1.drBinary string: sbox_alternate_desktop_local_winstation_\??\\\?\\\?\UNC\\\.\\??\pipe\\??\mailslot\\/?/?\\Device\
Source: MpDetours.dll.1.drBinary string: w\\.\\\?\UNC\\\?\\Device\Mup\\\
Source: Acrobat.exe.1.drBinary string: C\\?\pipe\NGLWFPipe__INS:(ML;;NW;;;LW)D:P(A;;GA;;;OW)(A;;GA;;;AC)\\?\pipe\\Device\NamedPipe\win\src\named_pipe_policy.ccSameObject check failed: InitializeProcThreadAttributeListUpdateProcThreadAttributewin\src\process_thread_policy.ccCreateProcessWAction: STATUS_ACCESS_DENIEDapp name: command line: NtCreateProcessExntdll.dllNtSuspendProcessNtResumeProcessNtQuerySymbolicLinkObjectNtOpenSymbolicLinkObjectNtClose%d\Sessions\BNOLINKSNtCreateEventNtOpenEventwin\src\signed_policy.ccHandle AccessCheck failed:
Source: Acrobat.exe.1.drBinary string: {A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0DC\InstallerENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdf{AC76BA86-0000-0000-7760-7E8A45000000}TrunkBetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.SOFTWARE\Google\Chrome\NativeMessagingHosts\Acrobat.Document.11.pdfcom.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj.VersionMajor{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\DC\InstallerLowerCoExVersionCoExRepairDone\RDCNotificationAppx\ADCNotificationAppx\NotificationAppxSOFTWARE\Adobe\Adobe Acrobat\\DC\SOFTWARE\Adobe\Adobe Acrobat\\DC\Installer\AppVersionAppVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionReleaseId/i msiexec.exe REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 IS_COEX_REPAIR=1 /qnBROADCASTCEFRELOAD=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 /qb\/\*cef_* CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /qn/i msiexec.exe ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exe ADDLOCAL=OptionalFeatures,DistillerCJKNative,DistillerCJKSupport,PaperCaptureOptional,PreFlightPlugin DISABLE_FIU_CHECK=1 TRANSITION_INSTALL_MODE=4 SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeAppDoNotTakePDFOwnershipAtLaunchSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithListMRUListAcrobat.exeMRUListAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\RtlGetVersionntdll.dllAdobe Systems, IncorporatedAdobe Inc.Adobe Systems Incorporated1.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1kernel32IsWow64ProcessSystem\CurrentControlSet\Control\CitrixProdu
Source: lync.exe.1.drBinary or memory string: CSoftware\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Office\16.0\Lync\%sSoftware\Microsoft\Office\16.0\Lync\%s\LocationsSoftware\Microsoft\Office\16.0\Lync\%s\DSSoftware\Microsoft\Office\16.0\Lync\%sLYNCDSBkgndModeDSCLOSELSCONFDSBRANCHOFFICEWARNINGDSCLOSEIMDSCLOSEVOICEDSCLOSEVOICEVIDEODSCLOSEPBXDsCloseCallParkDSMultiModeCloseDSFTAndOthersCloseDSLogoutCloseConversationsDSPublishNumberTellSetDelegatesNoticeWindowRectWindowMaxIMWindowRectIMWindowWidthChatRoomIMWindowWidthMultiAVRoomIMWindowWidthMeetingLargeRoomIMWindowWidthMediumRoomIMWindowWidthSmallRoomIM Save DirectoryShowDirChangeMsgSoftware\Microsoft\Office\16.0\Lync\%s\GroupChatNewMessageRingtoneIndexHighImportanceRingtoneIndexNewMessageCustomeRingtoneFileNameHighImportanceCustomeRingtoneFileNameDontShowLocationWarningLocationsConversationsTabbedConversationFoldersPreferredGeometryDontShowCWCloseTabQueryFontFaceFontColorRefFontSizeIsApplyingToIncomingMessagesPassiveAuthUrlsLCCBLUIManagerLCCHiddenWindowClassLCCHiddenWindowClassTaskbarCreatedTaskbarButtonCreatedTryWindowsMsgrShutdownautomationembeddingfromrunkeyendorserSoftware\IM ProvidersDefaultIMAppurn:ietf:wg:oauth:2.0:ooburn:http-auth:PKeyAuth.ade,.adp,.app,.asp,.bas,.bat,.cer,.chm,.cmd,.com,.cpl,.crt,.csh,.exe,.fxp,.grp,.hlp,.hta,.inf,.ins,.isp,.its,.js,.jse,.ksh,.lnk,.mad,.maf,.mag,.mam,.maq,.mar,.mas,.mat,.mau,.mav,.maw,.mda,.mdb,.mde,.mdt,.mdw,.mdz,.msc,.msi,.msp,.mst,.ocx,.ops,.pcd,.pif,.pl,.pnp,.prf,.prg,.pst,.reg,.scf,.scr,.sct,.shb,.shs,.tmp,.url,.vb,.vbe,.vbs,.vsd,.vsmacros,.vss,.vst,.vsw,.ws,.wsc,.wsf,.wsh,.cnt,.der,.diagcab,.gadget,.hpj,.jar,.jnlp,.mcf,.msh,.msh1,.msh2,.msh1xml,.msh2xml,.mshxml,.msu,.osd,.plg,.printerexport, .ps1, .ps2, .ps1xml, .ps2xml, .psc1, .psc2, .psd1, .psdm1,.theme, .vbp, .webpnp, .website, .xbap, .xll, .xnk,LyncLync AttendeeSystem policy has disabled Lync ((HKCU/HKLM)Software\Policies\Microsoft\Office\Lync\PreventRun). Lync has shut down. * + ,
Source: classification engineClassification label: mal80.spre.winEXE@3/121@0/0
Source: C:\Users\user\AppData\Local\Temp\393A.tmpMutant created: \Sessions\1\BaseNamedObjects\GA2RZNbm
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeFile created: C:\Users\user\AppData\Local\Temp\393A.tmpJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCommand line argument: setup.dll0_2_00401557
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCommand line argument: WinMain0_2_00401557
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: MSACCESS.EXE.1.drBinary or memory string: SELECT [|3].* INTO [|1] IN '|2' FROM [|3]INSERT INTO [|1] IN '|2' SELECT [|3].* FROM [|3];XML\Transforms\ExportTransformsXML\Transforms\ImportTransformsIndex1yyyy|0;MAPILEVEL=|1;PROFILE=|2;TABLETYPE=|3HTML Import;IMEX=1;HDR=NO;CharacterSet=|0WSIDimex:ListPathimex:AdditionalDataimex:Column[not(@Width)]imex:Tableimex:AccessObject
Source: 393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 393A.tmp, 00000001.00000003.2277134741.0000000001464000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeReversingLabs: Detection: 63%
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeProcess created: C:\Users\user\AppData\Local\Temp\393A.tmp C:\Users\user\AppData\Local\Temp\393A.tmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeProcess created: C:\Users\user\AppData\Local\Temp\393A.tmp C:\Users\user\AppData\Local\Temp\393A.tmpJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeSection loaded: setup.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSection loaded: sfc_os.dllJump to behavior
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\deploy\plugin\npdeployJava1\obj\npdeployJava1.pdb source: npdeployJava1.dll.1.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\outlook\x-none\mapiph.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MAPIPH.DLL.1.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\lync.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: lync.exe.1.dr
Source: Binary string: MpDetoursCopyAccelerator.pdb source: MpDetoursCopyAccelerator.dll.1.dr
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\dbs\el\omr\target\x86\ship\outlook\x-none\mspst32.pdb source: MSPST32.DLL.1.dr
Source: Binary string: D:\T\BuildResults\bin\Release\AcrobatExe.pdb source: Acrobat.exe.1.dr
Source: Binary string: symsrv.pdb source: 393A.tmp, 00000001.00000003.2285614223.0000000001483000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2244269952.0000000001483000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\dbs\el\omr\target\x86\ship\outlook\x-none\mapiph.pdb source: MAPIPH.DLL.1.dr
Source: Binary string: MpDetours.pdb source: MpDetours.dll.1.dr
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpDetours.pdbGCTL source: MpDetours.dll.1.dr
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpDetoursCopyAccelerator.pdbGCTL source: MpDetoursCopyAccelerator.dll.1.dr
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\dbs\el\omr\target\x86\ship\outlook\x-none\mspst32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSPST32.DLL.1.dr
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: P:\Target\x86\ship\setupexe\x-none\setup.pdbtup.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Source: Binary string: Unable to locate the .pdb file in this location source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdb.dbg source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\lync.pdb source: lync.exe.1.dr
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 393A.tmp, 00000001.00000003.2242665140.0000000001456000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symsrv.pdbGCTL source: 393A.tmp, 00000001.00000003.2285614223.0000000001483000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2244269952.0000000001483000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: P:\Target\x86\ship\setupexe\x-none\setup.pdb source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2ssv\obj\jp2ssv.pdb source: jp2ssv.dll.1.dr
Source: Binary string: or you do not have access permission to the .pdb location. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\deploy\plugin\npdeployJava1\obj\npdeployJava1.pdbe source: npdeployJava1.dll.1.dr
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tup.pdb source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdb source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\dbs\sh\odct\1105_210049_0\client\onedrive\Setup\Standalone\exe\obj\i386\OneDriveSetup.pdb source: 393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdbGCTL source: 393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmp
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: mfc140u.dll.1.drStatic PE information: 0xB68BCE5A [Tue Jan 18 22:34:02 2067 UTC]
Source: lync99.exe.1.drStatic PE information: section name: .c2r
Source: mce.dll.1.drStatic PE information: section name: .orpc
Source: mfc140u.dll.1.drStatic PE information: section name: .didat
Source: mip_pdf_sdk.dll.1.drStatic PE information: section name: .didat
Source: AGM.dll.1.drStatic PE information: section name: .didat
Source: msoadfsb.exe.1.drStatic PE information: section name: .detourc
Source: msoadfsb.exe.1.drStatic PE information: section name: .c2r
Source: VC_redist.x64.exe.1.drStatic PE information: section name: .wixburn
Source: MpDetours.dll.1.drStatic PE information: section name: .detourc
Source: MpDetours.dll.1.drStatic PE information: section name: .detourd
Source: MpDetoursCopyAccelerator.dll.1.drStatic PE information: section name: .detourc
Source: MpDetoursCopyAccelerator.dll.1.drStatic PE information: section name: .detourd
Source: Acrobat.exe.1.drStatic PE information: section name: .didat
Source: AcroPDFImpl.dll.1.drStatic PE information: section name: .orpc
Source: AppvIsvSubsystems32.dll.1.drStatic PE information: section name: .mrdata
Source: AppvIsvSubsystems32.dll.1.drStatic PE information: section name: .detourd
Source: AppvIsvSubsystems32.dll.1.drStatic PE information: section name: .detourc
Source: AppvIsvSubsystems32.dll.1.drStatic PE information: section name: .c2r
Source: AutoItX3.dll.1.drStatic PE information: section name: .orpc
Source: ie_to_edge_bho.dll.1.drStatic PE information: section name: .00cfg
Source: EmbeddedBrowserWebView.dll.1.drStatic PE information: section name: .00cfg
Source: EmbeddedBrowserWebView.dll.1.drStatic PE information: section name: .rodata
Source: EmbeddedBrowserWebView.dll.1.drStatic PE information: section name: CPADinfo
Source: EmbeddedBrowserWebView.dll.1.drStatic PE information: section name: malloc_h
Source: MicrosoftEdgeUpdateCore.exe.1.drStatic PE information: section name: .didat
Source: msedgeupdate.dll.1.drStatic PE information: section name: .didat
Source: AppVLP.exe.1.drStatic PE information: section name: .c2r
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_00401A38 push ecx; ret 0_2_00401A4B
Source: pidgenx.dll.1.drStatic PE information: section name: .text entropy: 6.827294297507493

Persistence and Installation Behavior

barindex
Drops executable to a common third party application directory
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\ACE.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AGM.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIB.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIBUtils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat32OL.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile written: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile written: C:\Program Files\Mozilla Firefox\uninstall\helper.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL32.DllA\libcrypto-1_1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mce_office.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPST32.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\JitV.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSAEXP30.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\OUTLVBA.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\msedgeupdate.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\onmain.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocogl.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VVIEWER.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SHAREPOINTPROVIDER.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocpptview.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CONVERT\TRANSMGR.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DLGSETP.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\RECALL.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLMAPI32.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\EBWebView\x86\EmbeddedBrowserWebView.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Mozilla Firefox\uninstall\helper.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\wsdetect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPUB.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLMIME.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_bho.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLKFSTUB.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\UmOutlookAddin.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EntityPicker.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\protocolhandler.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OIMG.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\splashscreen.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OutlookWebHost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Psom.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\deployJava1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AGM.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OMICAUT.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Appshapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lyncDesktopViewModel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msipc\msipc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OWSCLT.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-inv16\sqmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jdwp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PUBCONV.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPCORE.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VISSHE.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AutoHelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MIMEDIR.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\appshvw.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mce.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sqmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetours.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\cpprestsdk.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mip_pdf_sdk.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\ACE.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\plugin2\npjp2.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office15\pidgenx.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\eula.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Uc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SOCIALPROVIDER.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msvcr120.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIANEXT.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SEQCHK10.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSRTEDIT.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\goopdate.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Tec.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2ssv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\concrt140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OsfTaskengine.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\STSCOPY.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SOA.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UCAddin.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\MSVCR71.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLVBS.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WWLIB.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSPECTRE.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAME.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jfxwebkit.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEAWSDC.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\roottools.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EMSMDB32.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIA.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACEDAO.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONFILTER.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\appshcom.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\concrt140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\v8jsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CONVERT\RM.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\npdeployJava1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\RTC.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl32.DllA\OpenSSL32.DllA\libcrypto-1_1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Win32MsgQueue.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat32OL.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PSTPRX32.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLFLTR.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javafx_font.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\1033\XLSLICER.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\scdec.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcOffice.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLCTL.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\msvcr120.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLPH.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MAPIPH.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocrec.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIBUtils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msvcr110.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VVIEWDWG.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\atl110.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\mfc140u.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\pdf2text.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\deploy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\appsharingmediaprovider.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\management.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIB.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller\pidgenx.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\MSVCR120.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MeetingJoinAxOC.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CONTAB32.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mfc140u.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ODBCTRAC.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\mce_office.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPST32.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXEJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSAEXP30.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\JitV.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\gstreamer-lite.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\msedgeupdate.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DLGSETP.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jli.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\EBWebView\x86\EmbeddedBrowserWebView.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\Mozilla Firefox\uninstall\helper.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\wsdetect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPUB.EXEJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_bho.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\EntityPicker.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\splashscreen.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Users\user\AppData\Local\Temp\wctFE34.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\deployJava1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AGM.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\lyncDesktopViewModel.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\Appshapi.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ssv.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\glib-lite.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jdwp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AIDE.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\AutoHelper.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MIMEDIR.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\appshvw.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\mce.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetours.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\cpprestsdk.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\mip_pdf_sdk.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\ACE.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\plugin2\npjp2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office15\pidgenx.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\eula.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\7-Zip\7zCon.sfxJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIANEXT.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\goopdate.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\Cpprest141_2_10.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2ssv.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Client\concrt140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\hprof.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSPECTRE.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\7-Zip\7z.sfxJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jfxwebkit.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEAWSDC.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\EMSMDB32.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIA.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACEDAO.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXSEC32.DLLJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeFile created: C:\Users\user\AppData\Local\Temp\393A.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\appshcom.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\concrt140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\npdeployJava1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cplJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat32OL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javafx_font.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2iexp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MLCFG32.CPLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Client\msvcr120.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MAPIPH.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIBUtils.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\atl110.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Client\mfc140u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\deploy.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jsdt.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\appsharingmediaprovider.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\management.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIB.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller\pidgenx.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MeetingJoinAxOC.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CONTAB32.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\mfc140u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetours.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MLCFG32.CPLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\7-Zip\7z.sfxJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files\7-Zip\7zCon.sfxJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cplJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_00585718 rdtsc 0_2_00585718
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\mce_office.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPST32.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXEJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSAEXP30.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\JitV.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\gstreamer-lite.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\msedgeupdate.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DLGSETP.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jli.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\EBWebView\x86\EmbeddedBrowserWebView.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\uninstall\helper.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\wsdetect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPUB.EXEJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_bho.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EntityPicker.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\splashscreen.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wctFE34.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\deployJava1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AGM.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Appshapi.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lyncDesktopViewModel.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssv.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\glib-lite.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jdwp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AIDE.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AutoHelper.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MIMEDIR.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\appshvw.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\mce.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetours.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\cpprestsdk.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\mip_pdf_sdk.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\ACE.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\plugin2\npjp2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office15\pidgenx.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\eula.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\7-Zip\7zCon.sfxJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIANEXT.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\goopdate.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Cpprest141_2_10.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2ssv.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\concrt140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\hprof.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSPECTRE.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\7-Zip\7z.sfxJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jfxwebkit.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEAWSDC.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EMSMDB32.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIA.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACEDAO.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXSEC32.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\concrt140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\appshcom.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\npdeployJava1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cplJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat32OL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javafx_font.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2iexp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MLCFG32.CPLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\msvcr120.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MAPIPH.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIBUtils.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\atl110.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\mfc140u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jsdt.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\deploy.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\appsharingmediaprovider.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\management.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIB.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller\pidgenx.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MeetingJoinAxOC.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CONTAB32.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\393A.tmpDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\mfc140u.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_00404A94 FindFirstFileExA,0_2_00404A94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_00409057 VirtualQuery,GetSystemInfo,0_2_00409057
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 393A.tmp, 00000001.00000003.2285424655.00000000014B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Acrobat.exe.1.drBinary or memory string: \Adobe\AdobeGCClient"\Adobe\AdobeGCClient\AGCInvokerUtility.exe\AGCInvokerUtility.exe --appID= --appVersion= --appProfileScope= --appPath=x-request-idROOT\CIMV2SELECT * FROM Win32_ComputerSystemWQLHypervisorPresentManufacturerModelVMwareVirtualBoxXenQEMUGoogleVirtualOpenStackSELECT * FROM Win32_ComputerSystemProductUUIDEC2lFnIsWow64Process2 not availablex64ARM64UnknownPROCESSOR_LEVELPROCESSOR_REVISION\\.\PhysicalDrive0%ProgramW6432%\Common FilesAdobe
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <V V="VMWare, Inc." T="W" />
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 393A.tmp, 00000001.00000003.2285424655.00000000014B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,1
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 393A.tmp, 00000001.00000003.2282459793.0000000001A11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 10/04/2023 15:50:56.369OFFICECL (0xe04)0x250Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 551, "Time": "2023-10-04T13:50:46Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "LFm9Ltrk4S277wbAA8Obddw+Rm4=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
Source: 393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <V V="QEMU" T="W" />
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
Source: 393A.tmp, 00000001.00000003.2278055944.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_00585718 rdtsc 0_2_00585718
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_0040417D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040417D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_00401496 OutputDebugStringA,GetLastError,0_2_00401496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_0040369F mov eax, dword ptr fs:[00000030h]0_2_0040369F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_00588138 mov eax, dword ptr fs:[00000030h]0_2_00588138
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_00582380 mov eax, dword ptr fs:[00000030h]0_2_00582380
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_00404410 GetProcessHeap,0_2_00404410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_0040201E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040201E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_0040417D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040417D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_00401E25 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00401E25
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_00401F6D SetUnhandledExceptionFilter,0_2_00401F6D
Source: lync.exe.1.drBinary or memory string: KCMainFrame::RegisterCMainFrame::InitFlexCMainFrame::UpdateModifierKeyStatusCMainFrame::ProcessMenuHotkeyCMainFrame::GetMinimumWindowSizeCMainFrame::OnListenedInputSplitButtonAnchorAnchorPivotBarstickyButtonidLauncherRootidBuddyListTabidGroupEnvTabidConvEnvTabidPhoneEnvTabidMeetingEnvTabCMainFrame::UpdateSelectedItemsViewModelCMainFrame::OnActivateCMainFrame::UpdateUICMainFrame::GetSelectedItemsCMainFrame::UpdateSelectedItemsCMainFrame::CMainFrameCMainFrame::~CMainFrameCMainFrame::SaveSettingsCMainFrame::CreateCMainFrame::AnimateToOrFromTrayShell_TrayWndTrayNotifyWndCMainFrame::DestroyCMainFrame::HideToTrayCMainFrame::StartShutDownCMainFrame::OnCreateCMainFrame::OnCloseCMainFrame::OnSysCloseCMainFrame::OnDestroyCMainFrame::SetAlwaysOnTopCMainFrame::OnMessagelync\client\desktop\view\mainframe\infra\mainframe.cppCMainFrame::IsMainFrameUISuppressionOnCMainFrame::IsMainUISearchInputTextboxCMainFrame::CanDialPadHandleKeyEventCMainFrame::OnSessionChangedCMainFrame::OnUpdateOutageNotificationCMainFrame::OnSignedInCMainFrame::OnAboutToSignOutCMainFrame::FocusSearchInputCMainFrame::FocusBuddyListPaneCMainFrame::SetSearchInputBoilerplateShowingCMainFrame::FocusLocationEditCMainFrame::SwitchToMainWindowCMainFrame::UpdateWindowTitleCMainFrame::HandleAltUpDownCMainFrame::IsInGroupsViewCMainFrame::IsInRelationshipsViewCMainFrame::IsInStatusViewCMainFrame::IsKeyFocusWithinDialPadDigitsCMainFrame::IsInListViewCMainFrame::GetClientViewModelCMainFrame::GetMainUIViewModelCMainFrame::GetContactListViewModelCMainFrame::GetMainUIContextMenuViewModelCMainFrame::GetSelectedItemsViewModelCMainFrame::GetFocusedDGCMainFrame::GetFocusedGroupCMainFrame::GetGroupsViewModelCMainFrame::GetRelationshipsViewModelCMainFrame::GetStatusViewModelCMainFrame::GetGroupMoveUpCommandOfGroupsViewCMainFrame::GetGroupMoveDownCommandOfGroupsViewCMainFrame::GetGroupMoveUpCommandOfRelationshipsViewCMainFrame::GetGroupMoveDownCommandOfRelationshipsViewCMainFrame::GetGroupMoveUpCommandOfStatusViewCMainFrame::GetGroupMoveDownCommandOfStatusViewCMainFrame::DeferredCreateCMainFrame::HandleKeyForDialPadCMainFrame::NotifyCMainFrame::OnTabFrameManagerPropertyChanged0h
Source: Acrobat.exe.1.drBinary or memory string: {A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0DC\InstallerENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdf{AC76BA86-0000-0000-7760-7E8A45000000}TrunkBetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.SOFTWARE\Google\Chrome\NativeMessagingHosts\Acrobat.Document.11.pdfcom.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj.VersionMajor{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\DC\InstallerLowerCoExVersionCoExRepairDone\RDCNotificationAppx\ADCNotificationAppx\NotificationAppxSOFTWARE\Adobe\Adobe Acrobat\\DC\SOFTWARE\Adobe\Adobe Acrobat\\DC\Installer\AppVersionAppVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionReleaseId/i msiexec.exe REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 IS_COEX_REPAIR=1 /qnBROADCASTCEFRELOAD=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 /qb\/\*cef_* CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /qn/i msiexec.exe ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exe ADDLOCAL=OptionalFeatures,DistillerCJKNative,DistillerCJKSupport,PaperCaptureOptional,PreFlightPlugin DISABLE_FIU_CHECK=1 TRANSITION_INSTALL_MODE=4 SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeAppDoNotTakePDFOwnershipAtLaunchSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithListMRUListAcrobat.exeMRUListAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\RtlGetVersionntdll.dllAdobe Systems, IncorporatedAdobe Inc.Adobe Systems Incorporated1.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1kernel32IsWow64ProcessSystem\CurrentControlSet\Control\CitrixProdu
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_0040213B cpuid 0_2_0040213B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exeCode function: 0_2_00401D0E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00401D0E

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		11
Masquerading		OS Credential Dumping1
System Time Discovery		1
Taint Shared Content		1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		2
Process Injection		LSASS Memory41
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Software Packing		NTDS2
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp		LSA Secrets13
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe63%ReversingLabsWin32.Trojan.Convagent

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\AutoIt3\Uninstall.exe100%AviraHEUR/AGEN.1363959
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cpl100%Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll100%Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dll100%Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\glib-lite.dll100%Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\gstreamer-lite.dll100%Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dll100%Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\java.dll100%Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dll100%Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\eula.dll100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P0%URL Reputationsafe
https://autodiscover.com.br/Autodiscover/Autodiscover.xml0%URL Reputationsafe
https://autodiscover.uk/Autodiscover/Autodiscover.xml0%URL Reputationsafe
https://autodiscover.xyz/autodiscover/autodiscover.xml0%URL Reputationsafe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
https://aefd.nelreports.net/api/report?cat=bingaotak0%URL Reputationsafe
https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
https://dc.services.visualstudio.com/v2/track0%URL Reputationsafe
https://autodiscover.in/Autodiscover/Autodiscover.xml0%URL Reputationsafe
https://maps.windows.com/windows-app-web-link0%URL Reputationsafe
https://autodiscover.com/autodiscover/autodiscover.xml100%URL Reputationphishing
https://autodiscover.it/Autodiscover/Autodiscover.xml0%URL Reputationsafe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
https://autodiscover.fr/Autodiscover/Autodiscover.xml0%URL Reputationsafe
https://autodiscover.online/Autodiscover/Autodiscover.xml0%URL Reputationsafe
https://autodiscover.com.cn/autodiscover/autodiscover.xml0%URL Reputationsafe
https://autodiscover.sg/Autodiscover/Autodiscover.xml0%URL Reputationsafe
https://aefd.nelreports.net/api/report?cat=wsb0%URL Reputationsafe
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
https://www.ecosia.org/newtab/0%URL Reputationsafe
https://autodiscover.es/Autodiscover/Autodiscover.xml0%URL Reputationsafe
https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
https://aefd.nelreports.net/api/report?cat=bingrms0%URL Reputationsafe
https://aka.ms/AAbbac2PA1E0%Avira URL Cloudsafe
http://127.0.0.1:80430%Avira URL Cloudsafe
https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
https://aka.ms/AAbbac2PA$Estamos0%Avira URL Cloudsafe
https://github.com/react-native-community/react-native-netinfo0%Avira URL Cloudsafe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
https://javadl.oracle.com/webapps/download/AutoDL%s?BundleId=%surl%s%stmp1.8%s.0https://javadl.oracl0%Avira URL Cloudsafe
https://aka.ms/AAbbac2PA(Pripremamo0%Avira URL Cloudsafe
https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/ui.win32.js.map/d6bb35bc608af2672a5b746ba0%Avira URL Cloudsafe
https://globaldisco.crm.microsoftdynamics.us/https://make.gov.powerapps.us/environments/https://glob0%Avira URL Cloudsafe
https://crbug.com/8209960%Avira URL Cloudsafe
https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf18270730%Avira URL Cloudsafe
http://CurrentVersion.htmLync16LyncClassesSoftwareMicrosoftIM0%Avira URL Cloudsafe
https://HTTP/1.1GETSRange:0%Avira URL Cloudsafe
https://aka.ms/AAbbac2PA0%Avira URL Cloudsafe
http:///api/v1/query127.0.0.1:8043ModuleUnknown0%Avira URL Cloudsafe
https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF0%Avira URL Cloudsafe
https://aka.ms/convergencefaq0%Avira URL Cloudsafe
https://crbug.com/820996LaunchElevatedProcessXML0%Avira URL Cloudsafe
https://aka.ms/AAbbac2PA&C0%Avira URL Cloudsafe
https://aka.ms/AAbbac2%Ons0%Avira URL Cloudsafe
https://aka.ms/AAbbac2;Nous0%Avira URL Cloudsafe
http://UserName.htm.htmlInterfaceExcelOutlookPowerPointWordInternet0%Avira URL Cloudsafe
https://aka.ms/AAbbac2(PY0%Avira URL Cloudsafe
https://www.autoitscript.com/site/autoit/80%Avira URL Cloudsafe
https://aka.ms/AAbbac2PA10%Avira URL Cloudsafe
https://aefd.nel0%Avira URL Cloudsafe
https://aka.ms/AAbbac2.Rydyn0%Avira URL Cloudsafe
https://aka.ms/AAbbac250%Avira URL Cloudsafe
https://aka.ms/AAbbac2)Vi0%Avira URL Cloudsafe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
https://javadl-esd-secure.oracle.com/update/baseline.version%sURLOverrideSoftware0%Avira URL Cloudsafe
https://aka.ms/AAbbac2PA%We0%Avira URL Cloudsafe
https://aka.ms/AAbbac2(Na-akwadobe0%Avira URL Cloudsafe
https://make.powerapps.com/environments/ImexWiz0%Avira URL Cloudsafe
http://ocsp.di0%Avira URL Cloudsafe
http://127.0.0.1;LIST=;VIEW=dBASE0%Avira URL Cloudsafe
https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e0%Avira URL Cloudsafe
https://aka.ms/AAbbac2-0%Avira URL Cloudsafe
https://aka.ms/AAbbac2.0%Avira URL Cloudsafe
https://g.live.com/odclientsettings/Enterprisehttps://g.live.com/odclientsettings/MsitFasthttps://g.0%Avira URL Cloudsafe
https://aka.ms/AAbbac2%We0%Avira URL Cloudsafe
https://aka.ms/AAbbac2PA%0%Avira URL Cloudsafe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
http://https://_bad_pdb_file.pdb0%Avira URL Cloudsafe
https://clients3.google.com/generate_2040%Avira URL Cloudsafe
https://aka.ms/AAbbac2PA3Ch0%Avira URL Cloudsafe
https://g.live.com/1rewlive5skydrive/win81https://g.live.com/1rewlive5skydrive/win8https://g.live.co0%Avira URL Cloudsafe
https://aka.ms/AAbbac2#Rengiame0%Avira URL Cloudsafe
https://aka.ms/AAbbac2-90%Avira URL Cloudsafe
https://aka.ms/AAbbac2PA3OneDrive0%Avira URL Cloudsafe
https://aka.ms/AAbbac2)0%Avira URL Cloudsafe
https://aka.ms/AAbbac2(0%Avira URL Cloudsafe
https://aka.ms/AAbbac2#HY0%Avira URL Cloudsafe
https://aka.ms/AAbbac20%Avira URL Cloudsafe
https://aka.ms/AAbbac2PA1OneDrive0%Avira URL Cloudsafe
https://aka.ms/AAbbac2PA$Imakunatapas0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P393A.tmp, 00000001.00000003.2281492148.0000000001323000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/ui.win32.js.map/d6bb35bc608af2672a5b746ba393A.tmp, 00000001.00000003.2285571122.0000000001A11000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://aka.ms/AAbbac2PA$Estamos393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://autodiscover.com.br/Autodiscover/Autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://duckduckgo.com/chrome_newtab393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://autodiscover.uk/Autodiscover/Autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://duckduckgo.com/ac/?q=393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/react-native-community/react-native-netinfo393A.tmp, 00000001.00000003.2285571122.0000000001A11000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://aka.ms/AAbbac2PA(Pripremamo393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://javadl.oracle.com/webapps/download/AutoDL%s?BundleId=%surl%s%stmp1.8%s.0https://javadl.oraclnpdeployJava1.dll.1.drfalse
  • Avira URL Cloud: safe
unknown
https://autodiscover.xyz/autodiscover/autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://127.0.0.1:8043MSPST32.DLL.1.drfalse
  • Avira URL Cloud: safe
unknown
https://aka.ms/AAbbac2PA1E393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://globaldisco.crm.microsoftdynamics.us/https://make.gov.powerapps.us/environments/https://globMSACCESS.EXE.1.drfalse
  • Avira URL Cloud: safe
unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://aefd.nelreports.net/api/report?cat=bingaotak393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.000000000137B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://deff.nelreports.net/api/report?cat=msn393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://crbug.com/820996Acrobat.exe.1.drfalse
  • Avira URL Cloud: safe
unknown
https://dc.services.visualstudio.com/v2/track393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://HTTP/1.1GETSRange:npdeployJava1.dll.1.drfalse
  • Avira URL Cloud: safe
unknown
https://crbug.com/820996LaunchElevatedProcessXMLAcrobat.exe.1.drfalse
  • Avira URL Cloud: safe
unknown
http://CurrentVersion.htmLync16LyncClassesSoftwareMicrosoftIMlync.exe.1.drfalse
  • Avira URL Cloud: safe
unknown
https://aka.ms/AAbbac2PA393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF393A.tmp, 00000001.00000003.2281492148.0000000001393000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://aka.ms/AAbbac2PA&C393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://aka.ms/convergencefaqlync.exe.1.drfalse
  • Avira URL Cloud: safe
unknown
https://autodiscover.in/Autodiscover/Autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://maps.windows.com/windows-app-web-link393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://autodiscover.com/autodiscover/autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmptrue
  • URL Reputation: phishing
unknown
https://autodiscover.it/Autodiscover/Autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http:///api/v1/query127.0.0.1:8043ModuleUnknownMAPIPH.DLL.1.drfalse
  • Avira URL Cloud: safe
unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://aefd.nel393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://aka.ms/AAbbac2;Nous393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://autodiscover.fr/Autodiscover/Autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://aka.ms/AAbbac2%Ons393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://aka.ms/AAbbac2(PY393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://autodiscover.online/Autodiscover/Autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://autodiscover.com.cn/autodiscover/autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://www.autoitscript.com/site/autoit/8AutoIt3Help.exe.1.drfalse
  • Avira URL Cloud: safe
unknown
https://autodiscover.uk/autodiscover/autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
    		unknown
    https://aka.ms/AAbbac2)Vi393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://aka.ms/AAbbac2.Rydyn393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://UserName.htm.htmlInterfaceExcelOutlookPowerPointWordInternetMSACCESS.EXE.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://aka.ms/AAbbac2PA1393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://autodiscover.xyz/Autodiscover/Autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
      		unknown
      https://autodiscover.sg/Autodiscover/Autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.google.com/images/branding/product/ico/googleg_lodp.ico393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://aka.ms/AAbbac25393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://javadl-esd-secure.oracle.com/update/baseline.version%sURLOverrideSoftwarenpdeployJava1.dll.1.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://autodiscover.com.br/autodiscover/autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        https://aka.ms/AAbbac2(Na-akwadobe393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://aka.ms/AAbbac2PA%We393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://make.powerapps.com/environments/ImexWizMSACCESS.EXE.1.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://ocsp.di393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://127.0.0.1;LIST=;VIEW=dBASEMSACCESS.EXE.1.drfalse
        • Avira URL Cloud: safe
        		unknown
        https://aka.ms/AAbbac2.393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://aefd.nelreports.net/api/report?cat=wsb393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://aka.ms/AAbbac2-393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://g.live.com/odclientsettings/Enterprisehttps://g.live.com/odclientsettings/MsitFasthttps://g.393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://aka.ms/AAbbac2%We393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://aka.ms/AAbbac2PA%393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://nsis.sf.net/NSIS_ErrorErrorhelper.exe.1.drfalse
        • URL Reputation: safe
        		unknown
        https://www.ecosia.org/newtab/393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://autodiscover.es/Autodiscover/Autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://aka.ms/AAbbac2PA3Ch393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://clients3.google.com/generate_204393A.tmp, 00000001.00000003.2285571122.0000000001A11000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://https://_bad_pdb_file.pdb393A.tmp, 00000001.00000003.2283216066.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2242870387.0000000001A16000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://g.live.com/1rewlive5skydrive/win81https://g.live.com/1rewlive5skydrive/win8https://g.live.co393A.tmp, 00000001.00000003.2261499637.0000000001B1B000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2267497923.0000000004419000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2287422593.0000000001B10000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://aka.ms/AAbbac2#Rengiame393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ac.ecosia.org/autocomplete?q=393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://autodiscover.in/autodiscover/autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          https://autodiscover.es/autodiscover/autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://aka.ms/AAbbac2-9393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://aka.ms/AAbbac2PA3OneDrive393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://autodiscover.online/autodiscover/autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://aka.ms/AAbbac2PA1OneDrive393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://aefd.nelreports.net/api/report?cat=bingrms393A.tmp, 00000001.00000003.2281089832.0000000001376000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281089832.0000000001324000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2281492148.0000000001344000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://autodiscover.com.cn/Autodiscover/Autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://autodiscover.com/Autodiscover/Autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  https://autodiscover.it/autodiscover/autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://aka.ms/AAbbac2)393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/AAbbac2(393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/AAbbac2#HY393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/AAbbac2393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=393A.tmp, 00000001.00000003.2276901549.000000000149A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://autodiscover.fr/autodiscover/autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://autodiscover.sg/autodiscover/autodiscover.xml393A.tmp, 00000001.00000003.2279827259.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://aka.ms/AAbbac2PA$Imakunatapas393A.tmp, 00000001.00000003.2267497923.0000000006BD0000.00000004.00000020.00020000.00000000.sdmp, 393A.tmp, 00000001.00000003.2261499637.00000000042D2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1446230
                        Start date and time:2024-05-23 01:30:10 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 12m 33s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:5
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
                        Detection:MAL
                        Classification:mal80.spre.winEXE@3/121@0/0
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 97%
                        • Number of executed functions: 11
                        • Number of non-executed functions: 31
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded IPs from analysis (whitelisted): 20.190.159.64, 20.190.159.71, 20.190.159.2, 20.190.159.23, 40.126.31.71, 40.126.31.69, 20.190.159.0, 20.190.159.73, 93.184.221.240
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtCreateFile calls found.
                        • Report size getting too big, too many NtOpenFile calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtReadFile calls found.
                        • VT rate limit hit for: SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1949184
                        Entropy (8bit):7.593770730062807
                        Encrypted:false
                        SSDEEP:24576:6UPwoTIRPRRgKe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+BqtFtyFWg:fwDHKKkSR7Xgo4TiRPnLWvJoJFW
                        MD5:067D642EDF2776C25CE142354807303A
                        SHA1:51524D6FA22BB7D42FB87EBA8A5491A0DA42B7A3
                        SHA-256:9B145B3B51CB597D76831303FC6D1519E0DCA869F814EAE0B4485498266F12E8
                        SHA-512:A9A81982FCB2ADE111F2EA02F2D1B1C971DB43745981988F85B485A6C0DD3928E0340B03F52972E2A40D5C5BC65A432B48E0C749306BD5DE552EA42035B1D208
                        Malicious:true
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5...........................D......T...........H......H.8.....P....H......Rich...................PE..L..._.(c..........#..................d............@.................................,)...............................................p..X...............................p...............................@...............X............................text.............................. ..`.rdata..$H.......J..................@..@.data....@... ......................@....rsrc........p......................@..@................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):353280
                        Entropy (8bit):7.422760412668398
                        Encrypted:false
                        SSDEEP:6144:1DLeNYRF0nGZLk7ny2uc71LcnILn70hCC6Auk4ry6PqYlvWEezTdG:RLeKUck7nyyxL2ILn7dd1ryYvG
                        MD5:091F289BDBBB803CC07AB036B10E49D0
                        SHA1:36D8433AD67735271D0FBBFA654DAB1E1D07BACE
                        SHA-256:3EBAE6A0ED295E1E6F3CD4FCF0DF86E9EDED3BD0A745304DE808FF2F9D5EAE47
                        SHA-512:AEEC3F2734ACE6B3EAB0F8FA559892F2F30B1D79CF7535A426B0F7D7CFE6EE3985A201C284A8A5A704F351AB30D7D462F8FCA27B5825D7F882AE2AE9137AF649
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[m..5>..5>..5>OC.>..5>OC.>..5>OC.>..5>..0?..5>..1?..5>..6?..5>.>..5>..4>..5>.>..5>^.<?..5>^..>..5>..>..5>^.7?..5>Rich..5>........................PE..L.....(c..........................................@..................................8....@..................................%..d....P.........................$.......8...............................@...............t............................text.............................. ..`.rdata...^.......`..................@..@.data...l....0....... ..............@....rsrc.......P.......*..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1086464
                        Entropy (8bit):7.305089331745918
                        Encrypted:false
                        SSDEEP:12288:okX33QTAZKNNy9ZH2grNHmNm5jBqyd6FmWT+LtdNaciolFUYXr1PL+yHzUTvbkM:/gEZeNy9ZjBSFm3lacDFUUH6bb
                        MD5:5A935E33C0233D466513CA53FA427FDC
                        SHA1:71172F5453BD128D7397E1832F31DACC2F1FAD75
                        SHA-256:FB3C614C376CB63D8C419B9B819EFA93FBAAC3A4E38610022851DA25998D42FF
                        SHA-512:4A416D0110337A7791390D25F85F2B6752EBE91763F8836DC296344501EAC5E0758E34BF577F7683A39E5BCE29C3D5AB13F0418551D74452055814CA5C6C8A21
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Reputation:low
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........<.q.]o".]o".]o"...".]o"..."-]o"...".]o"5..".]o".5k#.]o".5l#.]o".5j#.]o".%.".]o".%.".]o".]n".\o".4f#.]o".4o#.]o".4.".]o".].".]o".4m#.]o"Rich.]o"................PE..L...Ly(c..........#!.....~...........s..............................................X.........@.....................p1......d?..,.......pL.......................J......p...........................@...@............................................text...8z.......|.................. ..`.orpc...4........................... ..`.rdata..N...........................@..@.data....)...`.......@..............@....rsrc...pL.......N...V..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                        C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2999808
                        Entropy (8bit):7.157466446157664
                        Encrypted:false
                        SSDEEP:49152:YtTh/stNwssHMPoizj5OoWrA4I33dS8RluS/fYw44RlL/4DYDi3:yZJMvz1OoWrMJrfv6Y
                        MD5:C953189C9F7B5C60AB271A806B7A07FB
                        SHA1:49387ED502326267FB9BD6F8D2D7E80A996E86D5
                        SHA-256:40D4B4EA4ED2B9086C99D91FEFC40AA03E36D56AA0A6FF1A4292D5305F089A0B
                        SHA-512:2D1907586E8726E642B81A589D90679A02F64CFD9F6EB8D5D03E5F59038F689DB2BC9403DC82747A34EEACB79F74CB5DBFE555C32E73FAB7AB86226C6A7091C9
                        Malicious:true
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L...a.(c.....................~....................@.................................P.....@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\AutoIt3\Uninstall.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):281600
                        Entropy (8bit):7.696572121156058
                        Encrypted:false
                        SSDEEP:6144:n8vnYCrxEMAWDS8txJRot57gNggRkXzbjEA23oqD30GZA5MAAdGpoJsEOfHddG43:n8wCuU2YNgOkHw5rD0GO5M3dGpo+/pTN
                        MD5:9721ECE1A12C24771E50A012DCA840C7
                        SHA1:04EDA8BD74830F64D867B68847B3BAF3FE1FA9E3
                        SHA-256:1E4ECC6D74C72261D71ACC0C796E229E3B0A6737746C531F445FBA7EEF97125F
                        SHA-512:B09445134DB77FA8528A763CD0BB06694848FEBBBC143783CCEADB9BD0E1FDFA15B5934DE3DFA5C6820A9509EAF3E748B249B88FC425C766DD94F37C9A6E1E54
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*......@6............@.......................................@.......................................... ...N...........................................................................................................text...vf.......h.................. ..`.rdata...............l..............@..@.data...x...........................@....ndata...p...............................rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):628224
                        Entropy (8bit):7.300125798306945
                        Encrypted:false
                        SSDEEP:12288:SAwc5uFuZni+QqwcIPcbws7B3OhBUtG+XAszmBEF4RE:SAv9i+xIUbTVOhBy1zmBEaRE
                        MD5:85058889A0D19D031C0EAEDB17655F64
                        SHA1:742C683E27952A30C223A6204A1253F5904586F8
                        SHA-256:4B51C010BF9D3BD48179C3E809A3C8E6960F9304872A4E6BA5ED523B7C499452
                        SHA-512:BEEBFA69B48D63E56275CC89918815AFBDBAB5DBE376E4D27BC283AF5CD37EC41382364475A864F68421C86E622C27C0630C3F1DB14EBCAD2A9BBED7A3918832
                        Malicious:true
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4...Uu..Uu..Uu..=v..Uu..=q..Uu..=p.pUu..=s..Uu..8q..Uu..8v..Uu..8p.@Uu.....Uu..=t..Uu..Ut..Wu.Z;p..Uu.Z;...Uu..U...Uu.Z;w..Uu.Rich.Uu.................PE..L......d.................N...P...............`....@..................................g....@..................................`..@.......(........................7......T...............................@............`..L............................text...zL.......N.................. ..`.rdata.......`.......R..............@..@.data...\D...........p..............@....rsrc...(...........................@..@.reloc...`.......Z...<..............@..B................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1524736
                        Entropy (8bit):7.136918837630064
                        Encrypted:false
                        SSDEEP:24576:wANZl3o/HKOhl8XmBLdfGJZCHOTCS56dOA/85RkV4l7/ZUC2VgM8HG:gSl2GJI0CS0OAUfkVy7/ZAVgM8m
                        MD5:A774AAC9C17B02EBA990F030E2774E28
                        SHA1:280FF1B1A2381E5CA384E8B0C9B5395B8FF6F4B5
                        SHA-256:BFC404A515702C3DE8972194CAA70BCE7944F910E8968276E4A6592B8F54619A
                        SHA-512:46DDD3EC82A3171D24A38A75FED8566F7FCA6CA72F09E06701033FB45480CD7A0BEA4D8045295C5A4A089E2165CE75AE79393BF4D6C83E28174D2CE68FDE11AB
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Reputation:low
                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................p.....l.......................................................<......<....<.n.............<......Rich............................PE..L....S.d.................:...*...............P....@.......................................@.....................................,......................................................................@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...PG...0...2..................@....rsrc................D..............@..@.reloc...........t..................@..B................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1049600
                        Entropy (8bit):7.250262156376367
                        Encrypted:false
                        SSDEEP:24576:AyQHUBh2c/5FOR6xDNUYed1eq+58cim8RQFSvhRbjnHFk:yUqcuR6Hed1Z+5Jim8OFOjH
                        MD5:AEFA076725D88204B6DE433A5EC55BDC
                        SHA1:5BDF7B3328E46689ABB1914EF7678C43857529DC
                        SHA-256:FD60ECEBEEDA07F826C7D843BBB754AA1E5CF03BC691B4FDD9DB02CD72BD4C61
                        SHA-512:90E212DE7520955DB35AFE393CDE6200733721BB36E996A9406D50FADAC89EB4F69AB0D2C0C291DCA42D5CF2FA3E7032697FD457FAE7C6E2F134429212EA59D6
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r.b.!.b.!.b.!... .b.!... xb.!..1!.b.!... .b.!... .b.!... .b.!... .b.!... .b.!... .b.!.b.!.c.!?.. .b.!?.. .b.!?.3!.b.!.b[!.b.!?.. .b.!Rich.b.!........PE..L...+?.d..........................................@..........................@............@.................................t$..................................e..`T...............................S..@............................................text...L........................... ..`.rdata..0Z.......\..................@..@.data...8<...@...(...&..............@....rsrc...............N..............@..@.reloc...0.......&..................@..B................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller\pidgenx.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1647104
                        Entropy (8bit):7.391564230322516
                        Encrypted:false
                        SSDEEP:49152:XOsXTA/gSlfM0npThnyk/Fw41Tn8ZyxOoc:X1WvVtJaZyco
                        MD5:1489EB212DF61CBD8760B5AFF1B0A302
                        SHA1:57D3013882EC1DDA13972C97A922DE2447E7972F
                        SHA-256:9385B11C86B1D884E423BFC0FE63AB77D828B7EE784F4342CEFD9B1036576DCD
                        SHA-512:17A6ADEE8A5092F55DD589CB907BAA7A1668FDB5E1F3371E5AC8EA9C2771D2354B93FA16A7D9E9368B309B11E541FF08FE8372F1EBA637A5094CF726B293DDC3
                        Malicious:true
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m)A..G...G...G..^....G..t....G...F.>.G..t....G..t....G..t....G..t....G...9...G..t....G..t....G.Rich..G.........................PE..L....q.O...........!.....h..........Pc..........................CS P.........P.......x....@.........................XX..]...Hk..d................................g...v..8...............................@............................................text....f.......h.................. ..`.data................l..............@....rsrc...............................@..@.reloc...@.......2..................@..H................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):497152
                        Entropy (8bit):7.3812574846221715
                        Encrypted:false
                        SSDEEP:12288:UdS+TEKeFs0VwmYc0wqTsfnsmHfB8KVt1XX8RWzu:UdS+Txt0VZZqIfnsmHJ8Kn1T
                        MD5:B10CB2BEF1A96A19035FF056D5B07C3F
                        SHA1:F526E8303B53B4D529EFC851F6D16C49F9B391D9
                        SHA-256:C463B30AFC0AFFF548EB1523E15861D591DA4FD77E00835B43556A675A05D346
                        SHA-512:C68AAE9C7EC946FB8D5DE2FB1319A3DC58BE0C8DD82A938F238E999FDF023832166F998E093B00BCDDF1F820035E0730E1744B288C1823103A719D34481FA051
                        Malicious:true
                        Reputation:low
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......h.uw,..$,..$,..$K..$*..$2..$...$K..$$..$%..$%..$C..$(..$...$-..$C..$*..$C..$!..$C..$ ..$%..$7..$,..$...$K..$...$K..$-..$K..$-..$K..$-..$Rich,..$................PE..L......d..........#!.........T......`..............C................................K?....@..........................~...... ...T...............................L4......8...........................8G..@............................................text............................... ..`.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):262656
                        Entropy (8bit):7.765340434027997
                        Encrypted:false
                        SSDEEP:6144:uICMoQesWrlLVkPLEZXK/we8wgu99c79/:uFMoltVcLEZXYrc79
                        MD5:C9DB986C6432B65CB00812932D6FAB1D
                        SHA1:991E06969990D761D0DD16E0803B9DC8AEBE7F04
                        SHA-256:A58A23A344B0F45831D0F6E8294B407F9F59FE1D8B6AD1D6B59A48E9650B98D7
                        SHA-512:73C36273726808B1B73C5056DFEB68E7A8B17B011403D75059DF47176F1DDC26593D633779389F2E915E785A3EC2F66E221F0AA3EF53D88D423ADAC881181EE4
                        Malicious:true
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#90pgX^#gX^#gX^#n .#~X^#n .#wX^#n .#.X^#n .#dX^#gX_#.X^#y..#fX^#gX.#fX^#y..#fX^#RichgX^#........................PE..L...v.d..........#!................Z%.............C.........................@.......+....@....................................(................................... ................................"..@............................................text...,........................... ..`.data...............................@....rsrc...............................@..@.reloc...p.......h..................@..B................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):494592
                        Entropy (8bit):7.516539252747106
                        Encrypted:false
                        SSDEEP:12288:XVD1IraYVjHngI+WQSvywMLrQTyMmHJJO61xS2l3:XMZX+rBLrq/mHJJP9
                        MD5:5E00332462D3F0E0CACBAB7592D9EFE7
                        SHA1:96F550387A3EC7A330BE19AD2D5FAFB24FF0AA99
                        SHA-256:949BDC185BB00289902FF105B6B1A5D8B2984D9E57376A5A9825007DE19B0227
                        SHA-512:9B9349F0DB0B32D25088A78E2F59C0FA3FABE01D750C5A43EA7A4002BEDEDCB17117C9C417494FDCC56ECC2FBEDC9DFA06411A22DFE1E6BC4AC7D6D5848B74B6
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L....e.d.................N...t....../........`....@.......................................@..................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):516096
                        Entropy (8bit):7.526932154021644
                        Encrypted:false
                        SSDEEP:12288:MI1yg6jTSxz/OlvhI7dDGWNZSloN1P85m1WzQq879xhHWifZ:M+2Az/IKdS48ock1W0RL2
                        MD5:DA9BAB71E14CEA104334149579166F06
                        SHA1:8E64BFB7D5740DB0A43EC138113A82069789D44F
                        SHA-256:8B5F6FEA699430BCBA63E6E4B0E344490E4362FCC14719B783289441AF0756E0
                        SHA-512:716EC12E9E9CF1847F9AA9B206751CEDDA0BC7B8214236FDEB278358EA6CF7A1A6451AE9DF128FE673A0E154D7EA093985364D6936F3C903F540B6674EEC798A
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p|..p..q|..pRich}..p........................PE..L......d.................N...t......7........`....@.......................... ......b.....@..................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...@.......4..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):574976
                        Entropy (8bit):7.472471629800592
                        Encrypted:false
                        SSDEEP:12288:yiPZJiJGBPhWZfgz6p2Ewix+m8GmMmcqTO/8S6SYMZi:rPZJiJkifgWcEwixbNYdWZi
                        MD5:CFC9B1517DF1418EFBE758772377F0FE
                        SHA1:CEE3C0290433E8EF4F25A1C809F2E248187172E9
                        SHA-256:0E1E6F99B2A093698CCD7B9A273629A98CE50C8FF6088135E71359DAE45205F0
                        SHA-512:EC15F3A935EC8015F348A51941945859BCFF1321DAD37C04D9AEAFA262B3E8AC944017732F6400DEECA5D58B77A7B3A054F7C0BA4C8EFE5A1C6AF25B1E01DD86
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|../../../L...../L...8./+...../+...../+...../L...../L...../../4./..../.s/../..../Rich../........................PE..L....L.d.............................s............@.......................................@.................................<........P...2.......................(......T...........................8...@............................................text............................... ..`.rdata...%.......&..................@..@.data...d(... ......................@....rsrc....2...P...4..................@..@.reloc...........~...H..............@..B................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):479744
                        Entropy (8bit):7.497275824494235
                        Encrypted:false
                        SSDEEP:12288:ueQNm5+dHkDcYmR/6Bitwpx+iQafFyxpwVZIVVOplrbpH5C/YH/Jgwsmyn0oCY0V:ZQ3WZmRe+wpx/QafkpwVZIVIplrbpH0/
                        MD5:1CC481C2BEEABCD07A19C6FA182F0995
                        SHA1:9B9F14997C56A9BCA2494985D3322FF2CF3045DB
                        SHA-256:17686810343BAB72B224920B39E7C43B526E40F43B082DEC4E9EF7A202728801
                        SHA-512:2252B1AE6355063C2720EDB7F0C307D656A42D3E3F1F6F6A6E68C6FBAA49C9AA0D70671F1C75F44C377219705F1FD4EBA759255FCB63CB0FB9E6FDA27227ECAC
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|6..8W..8W..8W...%..6W...%...W...=...W...=...W...=..{W...%.. W...%..#W..8W...V..L<...W..L<s.9W..L<..9W..Rich8W..................PE..L.....d.....................r....................@.......................................@..........................................0...2...................p... ......T...........................h...@............................................text...e........................... ..`.rdata..b...........................@..@.data....'..........................@....rsrc....2...0...4..................@..@.reloc...@...p...6..................@..B........................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Google\Update\1.3.36.312\goopdate.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2823168
                        Entropy (8bit):7.362340236738798
                        Encrypted:false
                        SSDEEP:49152:KRG/SJycv8c9U6ZLFUOaqlwzn6JNMEhJL1Hvr5WraLw4:K8GVY7Oaqlwzn6Jv5Wrm
                        MD5:89C5097E31421027F96E29EBC19080C9
                        SHA1:7FFEAC31EE8B7411815D6731611ED9FB31954E5D
                        SHA-256:3440FE54E4495506EF1034181D1D75CCF0A64CE4CED53721D692A0D3D892043F
                        SHA-512:4D07A8E2163A39F672B582FDBED17F59FEA2979176945C447E9D6DC4BC752325B199F8965D5CF45EE8CC596F8DE14F2D94C3966395B78A480424E93B11DD123B
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5..1q..bq..bq..b...cp..b...cp..b...c`..b...c...b..cP..b..cf..b..c0..b...ck..b...cZ..bq..b...b...c+..b...cp..b..~bp..bq..bJ..b...cp..bRichq..b........PE..L...v..d...........!.....(..........mW.......@................................+......+...@.............................X...8........p...................... ..h....r..T....................s.......r..@............@...............................text...V'.......(.................. ..`.rdata.......@.......,..............@..@.data...H........`..................@....rsrc.......p......................@..@.reloc...`... ...T..................@..B................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):5417472
                        Entropy (8bit):7.259976851934224
                        Encrypted:false
                        SSDEEP:98304:DfKArdytsiVNrEC4CMWStmvp1kVOvco7Dcv/G9HtBecke0CqjNCiuDm:DSArdyu6rECXdStmvfIOLDcv/GRt7ke1
                        MD5:6C364247414585B9194FEC8F5F32F6D7
                        SHA1:C73C5CEA38AC43FBC90CC7FF06606E9352C918DD
                        SHA-256:D6201B55EAD1BA6ED699BCA976A070A7514C30ED7E3FE2CCD4A961894E9C5BAC
                        SHA-512:5E36E64BD26EAC01E507B2DF9D0619F6360A22C5086465CBCEA7B0346DFBDF83C7B6E91C983BE98ADD2052D65440EFB92BA6DC408E022B3BC280FC522DCBF116
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............s...s...s....P..s......s...>..s......s......s......s.......s...s...r..c...q..c....s..c.<..s..c....s..Rich.s..................PE..L...v-.d...........!................q.........................................T.......R...@.........................P.7......8.|.....<.(.....................<.p.....5.T.....................5......5.@...............t............................text...W........................... ..`.rdata..D...........................@..@.data...d.....8..8....8.............@....rsrc...(.....<.......:.............@..@.reloc........<.......:.............@..B................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\deploy.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):698880
                        Entropy (8bit):7.176356793041058
                        Encrypted:false
                        SSDEEP:12288:fhYzRUuId/KadhokMzvq+ENIEyMabZi/ces0ZeO:pBdomLubhT2
                        MD5:C259BA296350C4BFFFA333E22481518A
                        SHA1:C2768CEE855307EB99B92C2688EFF1BC54CF4B1E
                        SHA-256:5AC82A7B4571D3978848961860042BE1AD8FA4D73AA5C47B96AF4C61D9C197D1
                        SHA-512:C8CBA0384D0F28D48E7C41421CC82FCA69C6674AC88F3B67D31E6D9E70D383CF1ED4224FA9089D8D29C1CF8FDA5272D162327F94FBAE6488F77F3CC15683D291
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........Y...8.@.8.@.8.@.@.@.8.@.@.A.8.@.@.@.8.@.@.A.8.@.@.A.8.@.S.A.8.@.@.A.8.@.S.A.8.@.S.A.8.@.8.@a9.@wA.A.8.@wA.A.8.@wA.@.8.@wA.A.8.@Rich.8.@........................PE..L....d...........!.........$.......................................................b....@.............................L7......................................1..P]..T....................].......[..@...............\....}.......................text...,........................... ..`.rdata..n@.......B..................@..@.data...<...........................@....rsrc..............................@..@.reloc...0...........|..............@..B........................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\deployJava1.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1368576
                        Entropy (8bit):6.506463604273989
                        Encrypted:false
                        SSDEEP:24576:vu4Kvuy2RHWAFVbDTvRhKwyv5tjXi/7GYG93XlBt2w:vu4yuzWAFVDLOv5tjKGBXl
                        MD5:7B29BFB55134CB52C52740BEC065FAD1
                        SHA1:D45F1CF9B867B244B1F7ED1C27CB336B9CFD5072
                        SHA-256:47053C920C9C0E8BE54EB8138EB84F2F6D5E8FEF8E7C503D5D1F6CA5B0DBC65D
                        SHA-512:481FF905EA06BEC2B841AB92A0BBC0EDE1E8F5575962F2B150D425AC77F760469A1F7EA89B77D7B44ED0F8D224FA5AF323FD8AEE8BA26B03DBBBDAE0A9539F55
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|..t...t...t.......t......?t.......t.......t.......t.......t.......t...t..qu.......t..z....t..z....t..z....t..z...t..z....t..Rich.t..........PE..L...3..d...........!......................................................... ............@.........................0....................................... ...e......T...............................@...............l............................text............................... ..`.rdata..............................@..@.data...lZ.......L..................@....rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1888768
                        Entropy (8bit):6.727916425414842
                        Encrypted:false
                        SSDEEP:49152:7iSuHLCnKQKMRfoKAdMCbOEWHRJ3LMF2:7iOtfoKAdMBL0
                        MD5:E81B56F06324AAE37569A6D6AC1FF0A9
                        SHA1:C941ADB76C74583FE5F9912D9007DB1755E0F161
                        SHA-256:EBBD6F73C45FCF88D4085A12B8AA29FF1AA46ED6342036E643B0D08EBA3E48AA
                        SHA-512:F0BC443CE449A451F211CB38569DE60AF4BFF95E058E11F0574FED4C92183594E5CBB3FDF25FD9248ED70BB823DC3C9444435571B4498E145E69ADA5B9B5D2CC
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m]...3..3..3.g0..3.g6.y.3..t7..3..t0..3.g7..3.g2..3..2...3..t6...3.<u6..3.<u3..3.<u...3.<u1..3.Rich..3.........PE..L....i.d...........!.....(...................@............................... .......J....@.........................`................P..P....................P..........T...........................P...@............@..X............................text....&.......(.................. ..`.rdata......@.......,..............@..@.data....L.......4..................@....rsrc...P....P......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\eula.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):349696
                        Entropy (8bit):7.363556991283234
                        Encrypted:false
                        SSDEEP:6144:ffKFkcvb0wZfSveq2WpDdsUkuKPAvyJxTLdCgTNoRnjM10n:f+kZ2WpuuMRd5TORjMGn
                        MD5:1EC28754CDD955C5C4075AA7F933E8FB
                        SHA1:037DF5F92E01DAD0599413F87CD6B8D7A3150E23
                        SHA-256:8E05772B7DB5DDAB183AB68C36F766036BD065959E3A4164389BC89C46E1390C
                        SHA-512:B4F40B96FBBE37A58DB50D99135A1E43E6D860BC64ACB4983FBA81EFBD9F1528641936258B4F78E908B3D3D977A0561CA2B73E24860E70E51A784886461AA970
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... .L.N.L.N.L.N.E..F.N...O.N.N...J.G.N...M.H.N.X.J.M.N.X.O.A.N.L.O...N...K.S.N...K.O.N...N.M.N.....M.N...L.M.N.RichL.N.........PE..L......d...........!.........,............................................................@..........................\..L....\...........t..........................@6..T............................5..@...............4....[..`....................text...T........................... ..`.rdata..............................@..@.data........p.......\..............@....rsrc....t.......v...j..............@..@.reloc...........v..................@..B........................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):370176
                        Entropy (8bit):7.541014425439325
                        Encrypted:false
                        SSDEEP:6144:h+04G33OukpvgyAN60zUvVvt6fJl+5hXwlSSObpIrP8j7CS1vf0:eKkpYMypmIz8/Cof
                        MD5:F30D3440244725EDA5A27A107FD7BFFF
                        SHA1:3A8FFFB0A1AC05F7115933D13B00F1EAFF9CB424
                        SHA-256:7461A947C75CEDCC22E07B2D11FD6FFEA2E03D77E897C120839A651C1B3F2349
                        SHA-512:AD5CB52E723D96A91AD842FCB5B7BDA03CC93E9CBF2B6CDBFEBA6CE2E20E16D4113305835409A90BF849003A015E7E65966A0D37B06247546EBA7D500BB61B3D
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................H.................................................l...............l.......l.......l.......l.$.....l.......Rich............................PE..L......d...........!......................................................................@.........................0...P............@.......................P..........................................@...............d............................text.............................. ..`.rdata..dl.......n..................@..@.data........0......................@....rsrc........@.......$..............@..@.reloc.......P...~...(..............@..B........................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\glib-lite.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):796672
                        Entropy (8bit):6.808028394584957
                        Encrypted:false
                        SSDEEP:24576:zmwtKBp9N1GtjZfYedZIp/d+Mz3rQKSSjeSgI0:5s31CfYedZAdNrQd20
                        MD5:F1C5F98D01F85C5B8B432FD0F3F03EFD
                        SHA1:3B80AD12E30CC1379C01470D98C837D46690EE1B
                        SHA-256:E7850548BB57C7E92D0B447707AA5058EF2D748275354A926A87BFAEB232B1DA
                        SHA-512:EBA45250A4D3DE2A19D479BE1F12C02BE30269ED480D77FDE70B9C90E19028577EF65E73104B9D0A0BD5783B75FC3FCBC6463DE129A61735D54A24BB400521CB
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R..............................a......................2......2...................2......2.c....2......Rich...........PE..L......d...........!.....R...8.......1.......p...............................p............@..........................<..p...pD..|................................$...7..............................07..@............p...............................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......@..............@....rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\gstreamer-lite.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1026048
                        Entropy (8bit):7.163467822727463
                        Encrypted:false
                        SSDEEP:24576:l/MScPs3DQ07+sb49qojJriNsd8hxurrMmSVGA:lNGK78ooZ2hMrbo
                        MD5:5712E0B1B9070647C0DA2424A396EACC
                        SHA1:5343E4AD62A2D0655C8B626BC746D9C0715E663B
                        SHA-256:9FC901FA5141D1D197F0B230C527FD7CD9CEBBD1306BE1C8CEBF38C140DF3444
                        SHA-512:CFC2A820124A5EB9475C880EA3F64EE14613846BD118A6DCE5A49AB19D9C49D5CA91A93A13A573C695128863791C7C5B4D86A6C7B7E4F837FC1AE4D07B7CE57B
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L5.y"f.y"f.y"f...f.y"f..#g.y"f...f.y"f..'g.y"f..&g.y"f..!g.y"f^.'g.y"f^.&gJy"f..#g.y"f^.#g.y"f.y#f.{"f^."g.y"f^..f.y"f^. g.y"fRich.y"f................PE..L....:.d...........!.........N............................................................@.................................|...,................................c..P}...............................|..@...............H............................text...(........................... ..`.rdata..............................@..@.data....+..........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\hprof.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):350720
                        Entropy (8bit):7.589601005872513
                        Encrypted:false
                        SSDEEP:6144:yPCZZTXi+1lHyEIFuL8n6W6OW4X0bSqhPRo:yPmZTX9XH5IFP6WXWxSqhJ
                        MD5:29D47D9D7A374775C07BBC6F13AA5553
                        SHA1:E886B846EF7AF901B80496D1EEA0286ED9698F5A
                        SHA-256:5F564273D5C39C9D518C738EC295A9490B0D9FADD4636FEA3A773C3669ACCDA3
                        SHA-512:9117DB6457AF53A4BE7C77CFCC14612F01B1ECD0CB84EF490FAD3AC7AE333FC9F781C4467290E1F1FB9632FC591F65CEB7929D55C688E68E8E3479CC48CBEAFC
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@RR...R...R...[..F...0./.P...0...W...0.+.Y...0.*.X...0.-.V...F./.U...R./.......*.H.......S.......S.....,.S...RichR...........................PE..L......d...........!.........|...........................................................@.............................l...L...................................L.......T...........................H...@...............d............................text....~.......................... ..`.rdata..$T.......V..................@..@.data...D...........................@....rsrc...............................@..@.reloc...........z..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):258560
                        Entropy (8bit):7.729986745586596
                        Encrypted:false
                        SSDEEP:6144:+cV6d/xUyGnFXsTGZ0Q8uUhNYMG3fanNDfWdNcFdY3Ev:+BdJPGVs+VUhNY/veNDvkE
                        MD5:88E1140553538E9CDC82EF887939130F
                        SHA1:B0BE3F17FF8F92BAFDE3422B4A626191ADDEBF3E
                        SHA-256:DF5DAEE7C36D549266040153D6B0BF4DB1B291EF2B5F6BF5851E870B27064992
                        SHA-512:D688D1F90BFC947A213846650730EA6FF657E1457AD8C4A5BBCFB640947B4FAF8F32F765C4024B88627000315131F02C940D0989B78FC7906EFAD7BE06CDDC31
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|XY...Y...Y...P.._...;...[...M...Z...Y...s...;...R...;...S...;...X.......Z.......X.......X.......X...RichY...................PE..L.....d...........!.....B...B.......H.......`...............................0............@.........................`... .......x................................... ~..T...........................`}..@............`...............................text....A.......B.................. ..`.rdata.......`...0...F..............@..@.data...$............v..............@....rsrc................x..............@..@.reloc...........v...|..............@..B........................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):276480
                        Entropy (8bit):7.731849757147938
                        Encrypted:false
                        SSDEEP:6144:7lULCqLabksNLo0UFaWeiexILOPGVe3vbhumPN1ZFNq9I:7aCIsNLZUFaWequg2vVb1L
                        MD5:A9714587953A1F0813250F03BF0B3377
                        SHA1:93443394EF8FA8027BD77EE3634EE41E428CCBFB
                        SHA-256:9D6E9D2276E0B3F98A185E6933707499E1C759D05BDF0FE20F6AFC9CA0F152CD
                        SHA-512:F4B2A244E44EFAC345DB6CC3A1BFF3064B56F9ACC4354BF0A2C2DE00E145A718E617782586129097012B0EF3BBE07C0BDC6287E224AEA6D75BB1F123C44E1AED
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z..^..............|.....|...................1...|.......|.......|.......................................Rich............................PE..L...0..d...........!.........>...............................................p............@....................................................................@...p...T...............................@............................................text.............................. ..`.rdata..x-..........................@..@.data...............................@....rsrc...............................@..@.reloc...........|..................@..B................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\java.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):347136
                        Entropy (8bit):7.660745580232739
                        Encrypted:false
                        SSDEEP:6144:zsNSVjTXGjUOHdzPS5mpthgbCs7LIms5a6qUyXRNyKnpq:86XGo2w8fgbZJs5a/UyXRNy4
                        MD5:3610306FFFFD0C543AF5A38F0612BD93
                        SHA1:842D429333E8806EF9F2117D72D050A61BF9B973
                        SHA-256:2F2953CC21CCFC391D400858E1A7B8E69B6B91D5A8568998CD4827FBCB44734B
                        SHA-512:C5F100788510394D3A4909B48E74806876676D4ECB7C9F4B436795F5B2A8F224E3E80935F3A8015C91F5D341624C3047C8E2CC4ADEC1550FE7694650D2E27ABE
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~6}.:W..:W..:W..3/..*W..X/..8W..X/..0W..X/..?W...<..<W..X/..5W...<..;W......?W..:W...V......VW......;W.....;W......;W..Rich:W..........................PE..L.....d...........!.....F...........K.......`............................................@..............................B......,............................ ..$...P...T...............................@............`......l...@....................text....D.......F.................. ..`.rdata..F....`.......J..............@..@.data...$...........................@....rsrc...............................@..@.reloc...`... ...^..................@..B................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):507904
                        Entropy (8bit):7.48332850259524
                        Encrypted:false
                        SSDEEP:12288:XWdf6fpNBYzDSvyCMGTStrVIA6X1WlaK6bMdtSh5:Xbx38/7KStrGA6X1kaiHSD
                        MD5:C3162BC66B0F1BDB8CBEE4BD27172C22
                        SHA1:0E49270D32DEF3124EED853C6312782BABE87130
                        SHA-256:4A321EDB3A8D49593BB9FCEC9F1B13D7BFE4C2CE15C82D8021CFAA7A529E5CF3
                        SHA-512:7076CF179E4D55860CD7EBDC434B0B084846FE8AF0D3E87D204DC4DDE577A45C82791B460ABDB43832EFC0509164E989511D8543C1F587660A6944A7B74EC06F
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L....7.d.................N...t....../........`....@.................................P.....@..................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc... ..........................@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cpl

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):468480
                        Entropy (8bit):7.472497511497981
                        Encrypted:false
                        SSDEEP:12288:xmstTWhMx45r2pahPOUvWlOaviuZdn/bICmL3PtI99YhpFK/fL5M:xmw0M4pAahMhvim/8jK94FK/jO
                        MD5:95A5EE5579BCAA7688468668B2ABB3FD
                        SHA1:D4D0ED35CDA56A18E9B11D47CD13025128C4BD84
                        SHA-256:CB6A9FE69EC32AE0702D964B2E6480E4948059F8F436328A97D47B5235F54EB5
                        SHA-512:1123F00E7AA942EAF21D26CF52904443E853E1FE327D32216A35A224F649880B8B52DA010BA54C6DFB1B5AD6FAB2A79F1CE5020E6C83446805D0FA3C8C5CDC14
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............{...{...{..x...{..~.d.{......{.......{...x...{..z...{...z.h.{...~...{.L.~...{.L.{...{.L.....{.L.y...{.Rich..{.........PE..L.....d...........!.........n.......O.......................................P......1#....@.............................\...<...d............................P......p...T...............................@............................................text............................... ..`.rdata..............................@..@.data...P...........................@....rsrc...............................@..@.reloc.......P.......&..............@..B........................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\javafx_font.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):292352
                        Entropy (8bit):7.694278285726103
                        Encrypted:false
                        SSDEEP:6144:90cPnhMzc7QFFvnNlQ8ZOcFF6IWugKHRuHzeymCzG7PJhqi0kjOs0aqJJfLNqEei:mcPS3F5N/ZpFF6IW7KHRaey5k79ts/ek
                        MD5:6ED2EA77BA13750B2CFC04A95492858D
                        SHA1:A9614BFE825883FB2FEC3BAAF87FC6BBBED10304
                        SHA-256:1C5C007410828F120040AB9791C02343BAEBC29763D94D9D977BA626E5C9711E
                        SHA-512:1696A926D7F0ACE5F18D6A433B2A4EBA262A819D8C0E947C78C189615A4FCE28526CA8B7BC4735AB750126FA68376ACC9B6F04C596A4CE4F032E9482D044C663
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6:{.r[..r[..r[..{#..x[...#..v[...#..p[...#..g[...#..x[...#..s[..f0..s[..f0..y[..r[..?[..."..s[..."..u[..."..s[..."..s[..."..s[..Richr[..........PE..L...}.d...........!.....r...^......Iv...............................................O....@.....................................................................p...@...................................@...............D............................text....p.......r.................. ..`.rdata...F.......H...v..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):491520
                        Entropy (8bit):7.5018940320264695
                        Encrypted:false
                        SSDEEP:12288:1tQ6jOhCNGe/JwlvhR7QbzLlIYpMBc4Tl6IL/PLuH:1fq5e/JaFWNpGDB6IbPy
                        MD5:4FA800408D07F2E883314C588039F4C7
                        SHA1:3217973F6A733373FD07CF208B368F7FADE518B9
                        SHA-256:9009BB53D5A3AA604C362B8E87F63FBD415C8A573CFB7D76DFA10F55D48275F0
                        SHA-512:BFA0DCD4AAE86565D23D5F265620E58E4C32A1AC16A257B89CF10A0657C3E1C29BDCBF148D564542FBD042EFD657B2A17D64DE1B722AD443063CEC79AFA68391
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p|..p..q|..pRich}..p........................PE..L....".d.................N...t......7........`....@.................................5.....@..................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\jdwp.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):413184
                        Entropy (8bit):7.605752150297272
                        Encrypted:false
                        SSDEEP:6144:JNUCGfXkDn9ch4I2P3ih3+xW8iyCOnkfrxGIk4NhRBQtIAVVwgX8l0zz4c:nGfUDo42h3+xcOnKdGGzAUy8CzMc
                        MD5:5E2AC72E3557399C3FF411B993062696
                        SHA1:E19A42D111FC1420A25EFF7882D47F0A307AD949
                        SHA-256:110BDAB18E47DB15FF4ECC1CA08C5873E2FFB73AD1F9A48AF1FF82548CEE1E74
                        SHA-512:AB456EB3C5FB1F1AEF739B5997EC943347004F6D6BAD84717A2673A46F10994ACF46511F7E864E1974927AF3935C21914C698836CC884FDD4BE1912F06B1F2B5
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"...Cg..Cg..Cg..;...Cg.;f..Cg..(f..Cg..Cf.Cg.;...Cg.;b..Cg.;c..Cg.;d..Cg.w:c..Cg.w:g..Cg.w:...Cg.w:e..Cg.Rich.Cg.........................PE..L...>_.d...........!................N................................................d....@..........................^..h...H_..................................D,...Z..T...........................@Y..@...............4............................text...r........................... ..`.rdata...f.......h..................@..@.data...L....p.......V..............@....rsrc................Z..............@..@.reloc...............^..............@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\jfxwebkit.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):68861440
                        Entropy (8bit):6.940259328383453
                        Encrypted:false
                        SSDEEP:786432:Dzxnnq1tlSKJMbXHdD6MJqlldIVRfHE58+plIGC3CrYVcbG+qRzqtlT:1nq1a++X96IzfY8qIGCk2KlT
                        MD5:E8B29ED5B0909DB0992EA908E9F4A311
                        SHA1:CB8481EC4B594DE4F6271F59AB00DB2FD2B5BF24
                        SHA-256:A04F33100649A76D8B00CFC7525DF8F770EF23150A07FB1641738CE1B5229E7C
                        SHA-512:68A508DE0269E74B01BD4A247DEB900869DE88DE4C7F3D1874740A84E160B61D0565523063F19AE4CF4D59D1ECAFD1F417E1C51902450582622612665E1C5C7A
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........p...#...#...#...#...#..s#...#.."...#.."...#.."...#.."...#..s#...#.."...#.."...#...#.#...#...#.."E..#.."...#..q#...#.."...#Rich...#................PE..L......d...........!.....`...0........o......p...............................@.......R....@.........................0..........h......@............................J......................@K...... J..@............p...............................text....^.......`.................. ..`.rdata...x...p...z...d..............@..@.data..............................@....rsrc...@...........~..............@..@.reloc...@.......:..................@..B........................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\jli.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):474624
                        Entropy (8bit):7.595739211779997
                        Encrypted:false
                        SSDEEP:12288:vvXCfIjs/W94FslcoaNR+gXY8BeAI39Zi:vvW6fZGoM7JNy9Z
                        MD5:564FA71647959FFBD14B08495442A773
                        SHA1:B1441F300D03DEC127F6AE9C1E0A2CA2E5ECC5CD
                        SHA-256:C2C369FC20B3A0E7D76F2D690190F6150AFF4A1E40C6A01883FCA348238DB8E3
                        SHA-512:1DD8C578DE497AA5CBB416CB13D5D7F2DDF4DE6819FB444B655027100F4E7DADFAA57A3078B4C62BE826BB8A9C84D55DDF0A2C0FC2F8A69DC155586EC7864FCB
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................h..........5.....................................F.......F.......F.7.....F.......Rich............................PE..L....<.d...........!.....L...................`...............................p............@......................... !..p...."..d....P.......................`..........T........................... ...@............`...............................text....K.......L.................. ..`.rdata..H....`.......P..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\jp2iexp.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):518656
                        Entropy (8bit):7.201400118903446
                        Encrypted:false
                        SSDEEP:6144:R3RJ5Mbfh/Vwe9nsBQhBNWupVqi5rZCBeBP01uiMciYgr9R0CBrePzE3GRYl9MmW:RBJ5Mnns80oiMckkCBEE3GbLH3N
                        MD5:576536CE2D2E66EED624685448C2600D
                        SHA1:07F3FD4CAD9EB4A19FEA734F542E2F3AF39B894E
                        SHA-256:06864F0F855C939A3C9261CDBE340BF1FC5AF3239ECE07851BF87278C92E94AA
                        SHA-512:1A292DF92B9C2350381B0B67CA095BCED9826C0CE98457205C48496D27284495C1262F52A9CBCE158645DA5E29A8CA08125AC3B0D7FA150FC4CED9C8C02FB1C7
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.w.}...}...}...t...i.......y...i...v...i...{......|.......v.......{...i...|...}.../.......[.......~.......m.......|......|.......|...Rich}...........PE..L...*..d...........!.........J......|........................................ ......}y....@.....................................h............................ ..h....P..T....................P......XO..@...........................................text...v........................... ..`.rdata..4...........................@..@.data............(..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):346112
                        Entropy (8bit):7.536366837437644
                        Encrypted:false
                        SSDEEP:6144:CIfjd7z/H+c9njyoEUE8DYZwGHL3anaaqGwca7Dai9Zr+ZnWdEFLiQ+7x9vSTRoY:CI7dv/RVVSa7sOqSZCsiQUx9vkCyBEIP
                        MD5:FDEA2C38B54B6D9ABCE2B879D8EF4926
                        SHA1:E3BBA20DF9F26930F8AEB5106EC5112A7641557E
                        SHA-256:2634626A08637C8FC81EA7A9E77DDFA66B4B9E8EE8BB7030E85F973186CA011D
                        SHA-512:5E93299EAA204E649043BB24E65521B7972FD7062EC99F076C2D5429CB9B45F7ACF988A1F93ACAA905B717D5CE0B1589F60EF18D04BE23C72462E0D22631FBF7
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.$x..wx..wx..wq.uwn..wl..vp..w...v}..w...vu..w...v{..wx..w...w...v_..w...vy..w...vs..w...wy..w...vy..wRichx..w........PE..L......d..........................................@.................................Cr....@.....................................h...................................`v..T............................u..@............................................text............................... ..`.rdata..R...........................@..@.data...P2..........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\jp2ssv.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):514048
                        Entropy (8bit):7.3428542330768005
                        Encrypted:false
                        SSDEEP:12288:Vq5BOlZyKuDMpuh4wk4vRGaEzky2SL95pl5Fkyur4ou:obDMwh4TRpgHSL9HFk+ou
                        MD5:33631B3757862A070A01C71D5DA16354
                        SHA1:C92A5F007092BC594964A3875AF8CB6C9022A08B
                        SHA-256:3CA80838ABDB458C8B666D3A15908F07E5A680442067BEBFBBF04F1B0B035BE7
                        SHA-512:9D20BC783B8D24906A1B0C020935730DBB54BCEBE1EEA02516F7E656B84638A04CDB42F9B99250B01677C945E63B86FB3DF32ED935660C7D3BE9EB4E243BAFEE
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......vm;.2.U.2.U.2.U.&gV.8.U.&gP..U.Pt..3.U.PtQ.".U.PtV.%.U.&gT.;.U.&gQ.!.U.2.T..U.PtP...U.uP.5.U.uU.3.U.u..3.U.uW.3.U.Rich2.U.........PE..L....!.d...........!................................................................W<....@.........................`...........d....@.......................P..d.......T...............................@...............\............................text.............................. ..`.rdata..8P.......R..................@..@.data...`.... ......................@....rsrc........@......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\jsdt.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):224256
                        Entropy (8bit):7.791509814770253
                        Encrypted:false
                        SSDEEP:6144:oLyMThg1/Iuq4spYjCmozC4GR1SgRAJBRfJBzX:VM1gpIu9s7z9+1eRBBz
                        MD5:52D628A23688880A42FA8A8BA49CD360
                        SHA1:E566CC9DCA82C7EA8BCAE54BE12D8D0C5B1E2BA0
                        SHA-256:983E677D037EDDDF9F4F6DE34C233745D815C9B7026165AD9ADB7C011A89A4D3
                        SHA-512:D164AAA01D2632D234ED608CC34028A472DBB1113C7FF921DF30C214D50C45F2DC50A196A89B5283C510CC5B45BF1FA2CF4A5D2ADEEDF603466B6401B8CDFE46
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W...6z.6z.6z.N..6z..N{.6z.]{.6z.6{.6z..N..6z..N~.6z..Ny.6z.)O~.6z.)Oz.6z.)O..6z.)Ox.6z.Rich.6z.........PE..L.....d...........!.........................0.......................................W....@..........................8..<....9..d....P.......................`......84..T...........................x3..@............0...............................text...k........................... ..`.rdata.......0......................@..@.data........@.......(..............@....rsrc........P.......*..............@..@.reloc...@...`...>..................@..B................................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\management.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):247808
                        Entropy (8bit):7.75737837958272
                        Encrypted:false
                        SSDEEP:6144:h5HGIH9SUsR74OQAWWMawDLN4sdBIE/t5nHTYIK:hZBWEu+PDd3jzYv
                        MD5:891068D80610688244FF181D05194808
                        SHA1:C13FF662AE4949821DCE417CEEA3A5D6C7501EDA
                        SHA-256:9B6B271655C8C57353C1F1F5A9A10B2AACA855BA96C05E9B5A587F160A75648B
                        SHA-512:F40AA03D14CD065F615578C7CC6CAE7D6505DE3758D1C533C3644ED31AF728673D19D0CB2D0F7D46FC128D78792FCC82A82D2DD9072239C349CBF6401E56E9E7
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.e6...e...e...e...e...ex..d...ex..e...ex..d...ex..d...ex..d...e...d...e...d...e...eU..e...d...e...d...e...e...e...d...eRich...e........................PE..L..._..d...........!.....2...D......$8.......P.......................................q....@.........................._.......y.......................................[..T...........................HZ..@............P..D............................text....1.......2.................. ..`.rdata..H2...P...4...6..............@..@.data...t............j..............@....rsrc................l..............@..@.reloc...`.......X...p..............@..B................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\plugin2\npjp2.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):497664
                        Entropy (8bit):6.963804506175665
                        Encrypted:false
                        SSDEEP:12288:9g0cyVayXdu6koiGfZhItfFlqXvAVArG0aL:9g0cyVFtsoiGfvIVAr1
                        MD5:AE8838CC91AE434D4AAFE1D0DF97A72D
                        SHA1:DDCF4142A4253B585335D886650426EBD934C551
                        SHA-256:B66207BD29F51820228EE96737EE8A9B3443F261467E9ECF838BAE32B997EE13
                        SHA-512:3A2AFF5F5141512CAF262871C4B3CFA72BFBDA6BD43605F986B110E8D6D2E5BF50029003A03BEE20263EB402D2EC84928C2F6D36433FC5FDD9828E22A1A0A37C
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2..@2...2...3...2...2...2...3...2...3...2..3...2...2...2...3...2...3...2...3...2...3...2..,2...2...3...2Rich...2........................PE..L....I.d...........!.....4...................P......................................e.....@..........................0..D...$@..T........h..............................T...................@...........@............P......X-.......................text....2.......4.................. ..`.rdata.......P.......8..............@..@.data....!...`.......F..............@....rsrc....h.......j...b..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\splashscreen.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):400896
                        Entropy (8bit):7.59752729516886
                        Encrypted:false
                        SSDEEP:12288:XtJnXtqmymu8GJ0uqWz7C2tBEjv0dftOt:XrXt0vDp7v6v0dfst
                        MD5:5E22A3405B5797C1711B0056F47B7E89
                        SHA1:2C624E58D6F6B478F6FD08CC9F145F73DAAB72CC
                        SHA-256:8FB0F99F6869D486F47F17A24AED33F9097051335899624F2DA2EBA069975D09
                        SHA-512:22C79CCC2468FC869D69AE3F12B2C4D7142A3F8EA63121E2CDA6C124EF30BDCC7A15005736BF6694DA30521E8F91DF3320378D2FE2544798BA30437247A701BA
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l1?J._lJ._lJ._lCu.lZ._l(u^mH._l(u.lL._l(u[m@._l(u\mL._l(uZmE._l^f^mO._lJ.^l.._l.t[m.._l.t_mK._l.t.lK._l.t]mK._lRichJ._l........................PE..L.....d...........!......................... ............................................@................................................................ ......@...T...............................@............ ..T...D...`....................text............................... ..`.rdata..".... ......................@..@.data....1..........................@....rsrc...............................@..@.reloc...p... ...h..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\ssv.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):886784
                        Entropy (8bit):6.4961095523063825
                        Encrypted:false
                        SSDEEP:12288:GJo3lcPAuD68aPc7vGTa3sT+2b9uCPDMVTgHAqayCbM7mQu:GJJ8GvGu3sT+EFEgRarx
                        MD5:9815E7235C1E049D9CEAC67263F72A58
                        SHA1:09863E895AF135A45E7B65D9E23E7310D2518592
                        SHA-256:9B7AF73F9B81850B7BF3B07F3FE5C5871F5A75F72ED7842DAF8F2489B4AD1062
                        SHA-512:8678CB72EACBDEAF4880516BDBA53837B6EDEB1F276A05B4CE7066D936CB2AF40992AFBC724952BC6F7A78D65F6CD3EDDA5411869221A733E003DF44A0758924
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........c.k.0.k.0.k.0...1.k.0...1Dk.0..^0.k.0...1.k.0...1.k.0...1.k.0...1.k.0.k.0.j.0...1.k.0...1.k.0...1.k.0..\0.k.0...1.k.0Rich.k.0................PE..L......d...........!.....,...L......!........@...........................................@..............................................s...................`...=...;..T............................:..@............@......T........................text....+.......,.................. ..`.rdata..Rj...@...l...0..............@..@.data....-......."..................@....rsrc....s.......t..................@..@.reloc...`...`...V...2..............@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Java\jre-1.8\bin\wsdetect.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):433152
                        Entropy (8bit):7.502304756655733
                        Encrypted:false
                        SSDEEP:12288:wAPYBTZUrc5oJlGcr/YuQK8N0D438p3Ij:EdUjGWQK8N0DBFW
                        MD5:3ED55FDAEADFEA9682ADD8EC1A2FDB6E
                        SHA1:C6AED60661DA8F02551E05D1323D544F6D8E41AD
                        SHA-256:9FD5D446ACEFCAAC37DF7977F6B0D23483676810C46208499B7F06AECEBF4D57
                        SHA-512:06528F8EC2C4129BA9218B7130910C0635F3D5F2A4DA8012D4702A3814EC3DFE6F9E6991C7848485963F1CC623412162E7ADC867E4FC2BB1A30F09CE39DCFDB4
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K3.e.R`6.R`6.R`6.9c7.R`6.9e7.R`6m*.6.R`6m*d7.R`6m*c7.R`6m*e7?R`6.9d7.R`6.9a7.R`6.Ra6.R`6.+e7.R`6.+`7.R`6.+.6.R`6.+b7.R`6Rich.R`6........................PE..L....b.d...........!................_................................................h....@.........................`v.......w..........P....................... "...L..................................@....................u..@....................text...|........................... ..`.rdata.............................@..@.data....#...........z..............@....rsrc...P...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):667136
                        Entropy (8bit):7.396464353975565
                        Encrypted:false
                        SSDEEP:12288:KWmt0LDddzRIQTv/ksuI4RAjRGywuC7P/N3SMhL4ime5MEs2ZWWPe:KsRRv/Gwb27P1iqL4iW9WP
                        MD5:78B7C204F5C12F664EA24C1E94916CE1
                        SHA1:CB91537C51D49E9208E686AB01CB99DFEACEDE3D
                        SHA-256:891F804143B98EA2AF5C7863AC6C73D663BA653DCF97A8410FEB7106B665968F
                        SHA-512:EE794D041ADED7BB218A3CF3EAFBC393CCDCF2F4C4F9E92E45D84D460AC4A4988BDEA74DEDEA65540BC4768A80F47ECCFEC1F7F018A4DAEF0E1E06C413D46EB9
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..i.v.:.v.:.v.:...;9v.:...;.v.:...;.v.:.v.:.v.:...;$v.:...;4v.:...:.v.:...;.v.:Rich.v.:........................PE..L...wG.m.................0...|...............@....@..........................p......w.....@...... ...............................................................=......T...................`[..........@............p...............................text...l/.......0.................. ..`.data...@'...@.......4..............@....idata..@....p.......L..............@..@.c2r.................\...................rsrc................^..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Client\concrt140.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):482304
                        Entropy (8bit):7.5218702372581685
                        Encrypted:false
                        SSDEEP:12288:8OJGS9+xXiuXxYizVh0Vn93X/A3cZtc/M7CQmZ:88B9aXj2izVc9jZtlCQ
                        MD5:E7F4ACD714306570AF7AB6ABC18D8665
                        SHA1:16FBCA6E115763520350225D8AE1F7C2F467EB31
                        SHA-256:D5DC3D5BF6BC7A0ABF85CD59695AF51A82009C7A5E7E745D3BC48D7B4ECB588C
                        SHA-512:C004ABDC298F34F64F95A4B611AFF8F977A42A99AEB60141206022C0636CEB1A11BB594F3FA9AB395AFA656B846E227511701CB1269964FD34628BCD4F7351F9
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................1.........j..............i..............................................Rich...................PE..L...f.$O..........#!... .0...x..............@.......................................d....@A.............................K..@....................................+...<..T............................;..@...............8............................text...<........0.................. ..`.data....4...@...2...4..............@....idata...............f..............@..@.rsrc................x..............@..@.reloc...............|..............@..B................................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Client\mfc140u.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):5659136
                        Entropy (8bit):7.237538399602433
                        Encrypted:false
                        SSDEEP:98304:qtvP7ISd6xwrPIk0kd81Vt3UvFLOAkGkzdnEVomFHKnPCzEvKT:ysLRkx81Vt3CFLOyomFHKnP
                        MD5:49246C96D22FC96B8CC47718F7A3C6A5
                        SHA1:9BF71798732EA1D9177B86E95A8F2421F01BD8AD
                        SHA-256:F426FE26B19336F8528241782E8DC182AF563651836C50275930513B58B1AAFA
                        SHA-512:AFC0D868DB3E52E88809A2F3A6B7D11C36A4A5FEBD2DF8FD4C111F8E4D28683FF5E300515200B995E0AE423457F3650420F72A7E2459DE26BD18227B57C5BC08
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......prZ.4.4.4.4.4.4..a1.5.4..a3.5.4..a0...4.=k.. .4.Ti5.6.4.Ti0.8.4.Ti7.>.4..a5.'.4.4.5...4.Ti1.#.4.Ti=...4.Ti4.5.4.Ti..5.4.Ti6.5.4.Rich4.4.........................PE..L...Wh............#!... ../..n........+......./...............................V.......V...@A............................L.....0......01.`.....................F.........T............................5..@.............0.....0........................text..../......./................. ..`.data...L...../......./.............@....idata..JS....0..T...`0.............@..@.didat....... 1.......0.............@....rsrc...`....01.......0.............@..@.reloc........F......PF.............@..B................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Client\msvcr120.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1344000
                        Entropy (8bit):7.382556246970814
                        Encrypted:false
                        SSDEEP:24576:GmFyjk95sHZFEcwbOGuIBsqfWKpFWoYQF1aUf32BZPQcbkhis2USvpys/:VM5eaIB2osUf32BCWwWLn
                        MD5:6C5F2175BEB1CF74C48F2E42E37E95C6
                        SHA1:78FCDB69E6B01E91C51F74784806CFD510EF8F0F
                        SHA-256:0074A6BB4F2BEAE9F3DD6B9D1295F9C193BE19DC7956DE23AD308CCCFA3BF9F8
                        SHA-512:B6AD0A6F8364EBD2A01F9B9A5BF54B14D83100C3F6A8611C84BF655984B1DDACCE505EF8DF7435A222DAAE44F76390342811899AD6694D8105D92C3A8F751376
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0iP.^:P.^:P.^:..:S.^:P._:..^:]L.:..^:]L.:1.^:]L.:f.^:]L.:..^:]L.:Q.^:]L.:Q.^:]L.:Q.^:RichP.^:........PE..L....#aS..........#!................L...............................................4.....@.........................`........B..(....`.......................p..h]..8...8...........................`6..@............@...............................text.............................. ..`.data...<e.......V..................@....idata.......@......................@....rsrc........`.......(..............@..@.reloc...`...p...V...,..............@..B................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):52776448
                        Entropy (8bit):7.962847326745661
                        Encrypted:false
                        SSDEEP:1572864:q+6L44lyBc+UN0qRsMjDAY9d5o/paLXzHLe:4icZmsR3Lo/cnLe
                        MD5:4788BA669DE1B3CFF07BCD5F3A0682FB
                        SHA1:B4366DA3F74166B81AACDF3BFD6B0C0BF239E529
                        SHA-256:54E6370A92343B64164A601F41A5CFE554526331E2BA0DDB61AC409033515A70
                        SHA-512:1B0A95197A83155D885017E01B6317B4AE353E91B9F1576CCE7492536E82E11F29E145E053A9B252ED250FBE911D2E2CAE9788E8B5D3DF575411578F002D0E66
                        Malicious:true
                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......LN.../nB./nB./nB.]mC./nB.]kC./nB.TjC./nB.TmC./nB.TkC}/nB.FjC./nB.FkC3/nB.]hC./nB.]jC./nB.]oC?/nB./oBq-nB.TgC./nB.TkC./nB.TnC./nB.T.B./nB.TlC./nBRich./nB........................PE..L................#....!.j(.........p]........(...@...........................%......5&...@..........................l3..t....3.0.....6.X.......................,4..../.p...................../.....h./.@.............(......j3.`....................text...jh(......j(................. ..`.rdata........(......n(.............@..@.data...t.... 4.......4.............@....didat..$.....5.......5.............@....rsrc...X.....6.......5.............@..@.reloc...............F..............@..B................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):5466112
                        Entropy (8bit):6.999680756656967
                        Encrypted:false
                        SSDEEP:98304:j2lTh0u+QgOnSXU2zOBiJvy0FTftw//+5VSmmV1A0vl:ilTh0ogPvNJ60Do+7UA
                        MD5:8A63C97642562B27B2C72EC7482B15FB
                        SHA1:04C0C8336F83EBF1E48323F279F69AE781CEC77C
                        SHA-256:EAAAC88BC975E453FC9627FEDD7E2511B5DFB479DDDF9911E33E51D1D2BC7F02
                        SHA-512:95EEEC4E6A51090E2AC189A63AA54EFDEF6158388AC1849573BC6462B17ADB440C467ACE67BD1BF3822198F05650351E58FB152262F2E8AFEBA3F86CA01027A7
                        Malicious:true
                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:V@.[8..[8..[8.{);..[8.{)=..[8..!<..[8..!;..[8..!=..[8.\.U..[8.\.E..[8.{)<..[8.{)>..[8.{)9..[8..[9..X8..!=..[8..!1.0^8..!...[8..[...[8..!:..[8.Rich.[8.................PE..L...0".e..........#.... ..*..Z........%......`+...@...........................S.......T...@..................................=......p?.......................?.....<.=.8...................P.:..... .+.@.............+......j=......................text.....*.......*................. ..`.rdata........+.......*.............@..@.data.........=.......=.............@....rsrc........p?......F?.............@..@.reloc... ....?......R?.............@..B................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office15\pidgenx.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1654272
                        Entropy (8bit):7.402263441247231
                        Encrypted:false
                        SSDEEP:49152:ic4Ss4fsWAQ1mWyTgny2PQVb1T48ZyqBcJOlDpCw:iPjujPYF9ZyBKp
                        MD5:64B680B934317DD4A6412FF5E83668D8
                        SHA1:5E06B9D30BADA39B797F2367E510BAA9CC9E96CB
                        SHA-256:5C7E9E61EB332A21A688684109DD9B9C33D33560ED129F10BFC39D6D672570D0
                        SHA-512:B6FE0F0A589463E49A034B699D8B9868B86AE590E38C40BE0CD8711B69DABEE97DB80095A1E550F678FBACB9ABBE0B8054B3AE33648ADF148451735A5329F7AC
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m)A..G...G...G..^....G..t....G...F.>.G..t....G..t....G..t....G..t....G...9...G..t....G..t....G.Rich..G.........................PE..L......O...........!.....h..........Pc..........................CS P.........`.......O....@.........................XX..]...Hk..d................................g...v..8...............................@............................................text....f.......h.................. ..`.data................l..............@....rsrc...............................@..@.reloc...P.......N..................@..H................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\ACEDAO.DLL

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):896512
                        Entropy (8bit):7.1682951894481475
                        Encrypted:false
                        SSDEEP:12288:ClUlOSGTwzf/ar8LrCk35Wx+htM0NuLJe32WiuyrGKkSeumB7vR:CyOFA/ar8npWmlaE2dpEN
                        MD5:C986DB320050396F929C36A42B0B418A
                        SHA1:09B293899EF55F8092910CBE3A117CDFF6542586
                        SHA-256:2448266070494B6BDE48CB620D97A99609D42B6B7D5200C0C756EDE6DDF51F67
                        SHA-512:6F9BDAE74CE77F9BD78A91BBEDF3CFCC24DEF37BA033042B172562AD18B2C318381F8A970EF70EF2C7B2F47CF7C39A690AEA11126B3E46BC07629B7662B9F840
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._t....y...y...y..m...y.{ox...y.{o|...y.{o}...y.{oz...y..g}...y..gx...y...x.[.y.~o|...y.~op.C.y.~oy...y.~o....y......y.~o{...y.Rich..y.........PE..L......d...........!... .R..........'........p......................................,R....@.................................0...........................................8...................8<.......t..@............p......l........................text....P.......R.................. ..`.rdata..P....p.......V..............@..@.data....p... ...h..................@....rsrc................h..............@..@.reloc...`.......R...\..............@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):273920
                        Entropy (8bit):7.634061131238258
                        Encrypted:false
                        SSDEEP:6144:4Ln768Ode/NaM1gXMcG/PxSnD3EkgjmcZQnQDI:QMW4Cg5WYzEkkNQI
                        MD5:79E39057DE74D2053E6A9857D6AF3D07
                        SHA1:D6AF6C7323BB4301F5E8BA5184DF9EBC0AAB5D15
                        SHA-256:403CFAEF18C8D55B9FA37FAC8CE83C6A30AB0151B4070641FE201C53DBB49DAA
                        SHA-512:CCEDF5E815AA1D4E7E39DFFF0F5EB678C697E7F1FB6FE619B117B55425BDAB78DE07A482105DDF97404186A6FEAC4112C14849A852013B057E12B72BF1E5BCE9
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._...........I.....................................................................%...........Rich...........PE..L......d............... .F...P......`?.......`....@..........................`......u.....@.............................................$.......................t...P}..8....................i......`d..@............`......4o.......................text....E.......F.................. ..`.rdata.......`... ...J..............@..@.data................j..............@....c2r.....................................rsrc...$...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\Appshapi.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):3195392
                        Entropy (8bit):6.916491524083063
                        Encrypted:false
                        SSDEEP:49152:2PJisyCCMSpfDT/QbnECLFJyjkFyGmtfIneetD949biU/v60neJC0pl31:GTSd7f6JWrfIeo9480T07l
                        MD5:7D403CE449094780590AC58D43F5BD24
                        SHA1:6E492A2FC22F4C433F9888D243D6DB39E73B760F
                        SHA-256:7BC28C91139EDD54241AE7BFED98ED61C4C7114670B8F423A2F1F8D2570E4369
                        SHA-512:37411993056495DB0278E9C288D044FF9547CA9EC9553EF0982E5DA433C65D12C9CEB385851CCF8960AD910AD26399420774D04B72CA51CC9B0EC81BC6C3EBDC
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6HW.W&..W&..W&.+ ...W&.....W&.+ ...W&..W'..V&......W&......W&......W&......W&.+ ...W&.....W&.....V&.....W&.....W&.Rich.W&.........PE..L...n.|a...........!......#..D.......u!.......#...............................1.......0...@.........................`.#.....l.#.......(.H.................... (.................................... "..@............................................text.....#.......#................. ..`.data....'....#..^....#.............@....rsrc...H.....(......0'.............@..@.reloc....... (......<'.............@..B........................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\AutoHelper.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):315392
                        Entropy (8bit):7.604521032041654
                        Encrypted:false
                        SSDEEP:6144:nhAuBfPiNBXgrttJ5uEj5haT6BLOU96iaPR0OSU5K7yCR463Tlufpl:hjMNxgr3Wu5h1I/i8vLA7ymNkz
                        MD5:3CD94DA50703DDB6DA90EF03D456EBBE
                        SHA1:9B303343263C54A0440B2CE781A6F31070EE82F7
                        SHA-256:90F081F68C5F3A5E3562FA5C52F11266CDF9878D981BE4009AB4671FA3673F50
                        SHA-512:47B83C03E7C15143FAF77A50EAD14BE147EEA393E2A61D0FCEDEA1B92602E0D8254A0F826CB84544E73C4A6DAB475CA383D994AD704598AC070A39B1BBC81023
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........OK...%^..%^..%^.V.^..%^.T$_..%^.T!_..%^.T&_..%^v\!_..%^v\$_..%^..$^k.%^.T _..%^.T _..%^.T,_..%^.T%_..%^.T.^..%^...^..%^.T'_..%^Rich..%^........................PE..L......d...........!... ............................................................-N....@..........................................0.......................@..8.......8...........................8...@...............L............................text...N........................... ..`.rdata..@C.......D..................@..@.data...............................@....rsrc........0......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLL

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):14193152
                        Entropy (8bit):7.009337017812752
                        Encrypted:false
                        SSDEEP:393216:jJIunH1dEmv+4rhHBI56x7Yul3LDHixr9n:tIunVdEmlrhHBI56xMSqFF
                        MD5:C1E2DB593BFFC54F7ED88E2F038385A8
                        SHA1:4B1F84DE1B3B3F76E405BC63CE09996C5E3E6555
                        SHA-256:F0A7D105A8D2817B24303AA49A571FA8F40DA57B5AB10A4CD4666A63BF65BB6C
                        SHA-512:937970E7937EEF2E3CB683AA55632859DD17A78502B17267BE832E0003AB14F6F0FEFE815D5516B36EFA57B5B6975B142716A2C1243D27DFCC4822A045C6A326
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........F..N'.@N'.@N'.@G_.@\'.@.].AJ'.@.].AB'.@.].AD'.@+].AL'.@.].AU'.@.U.AF'.@.U.AA'.@N'.@.).@+].AO'.@+].AZ'.@+].A.".@+].AO'.@+]b@O'.@N'.@O'.@+].AO'.@RichN'.@........PE..L...6..d...........!... .v....'..... O.......`............................................@................................p..|....@.........................,....~..8...................DN.......&..@...............h,...(.......................text...(p.......r.................. ..`.orpc...H............v.............. ..`.data................z..............@....idata..(............J..............@..@.rsrc........@.....................@..@.reloc...@(.....6(..\..............@..B................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):629248
                        Entropy (8bit):6.855555233987192
                        Encrypted:false
                        SSDEEP:12288:YoiQ+91llW1jq9hNtoIKxfPWlwPVjMBNzL:KQmDlW9ahJmfelXB1
                        MD5:DBCC26FBA6370F935153DA6E54B86933
                        SHA1:6D2DCC17F377A3EF3F919D57BDFF45FDBBC61AF4
                        SHA-256:74754D2B1CFA2AAC426171BE883A502C28311D440CB7769EDBF957B722323A37
                        SHA-512:D1617C03DC24CC487D4AF3601FAE345D5E1ECC19FE4BFB8867BFFF4C934A360AE412150E73981BCADE77CBC7C2B35FF9310B10DC78433149D5E1D8360D255535
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............f.@.f.@.f.@...@.f.@...A.f.@...A.f.@...A.f.@...A.f.@...A.f.@...A.f.@.f.@.d.@...A.f.@...ASf.@..z@.f.@.f.@.f.@...A.f.@Rich.f.@................PE..L......e............... .........................@.......................................@.............................................,T.......................H......8...................Hj..........@...................D...`....................text...u........................... ..`.rdata..0...........................@..@.data...............................@....c2r.................d...................rsrc...,T.......V...f..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):397312
                        Entropy (8bit):7.374955053136196
                        Encrypted:false
                        SSDEEP:6144:CPsUHqwjWNrHo8OPwqd669Q4QBUk+U+66J36x+R/Gk2Lh58t7WA:mKwC3ay2m+FJm+Ro8tq
                        MD5:C3E70E0DF4B19465ADA744B3B4490606
                        SHA1:1C2D1A614DB95000247479256C19D1263DD8A7F4
                        SHA-256:7D129B3C1351458A767BD44F60C91D96A1C240E9326D5769DEA325CA52E1BFF4
                        SHA-512:93643B3DB08D70535ADCD5A49399E55705DDD3504EA9CBCA3D264DE480EC21A7582B5757CEC0B965726BDA263EF2C0E5B44E1EBC19E0CBD26D831720EC93AF3E
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^.U.^.U.^.U.&rU.^.U.$.T.^.U.$.T.^.U.$.T.^.U2,.T.^.U2,.T.^.U.^.U.\.U.$.T.^.U.$.T.^.U.$.T.^.U.$.U.^.U.^vU.^.U.$.T.^.URich.^.U........................PE..L...Cm.e............... ............&q............@..........................P......p.....@..................................p..,.......`.......................X"..(...8...............................@............................................text............................... ..`.rdata..|o.......p..................@..@.data....T.......R..................@....c2r....T....p.......L...................rsrc...`............N..............@..@.reloc...............^..............@..B........................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\CONTAB32.DLL

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):390144
                        Entropy (8bit):7.402203680773456
                        Encrypted:false
                        SSDEEP:6144:mAM3k3EKc8Hcbb2GpT2WTdKQgbKNBIQWWSmoRY4e2eKi/hdScgvtmR3dc:mAM3/Kc8HcbUWJbBIQWWSHDjeXZdScn3
                        MD5:DD0BF034DCBC6E86B979C0B860933439
                        SHA1:25DEBD30D62DBB518222007FCFA532847F53ABFB
                        SHA-256:226DE85C05284B83F7503362D572C71BE8D3785A95FAEDEF4C1B630580E8B370
                        SHA-512:1185A2A93CC91AA77CF7976668F80110DA5F9AF8DFF46C6B1162413161871AA97D10F898EEB6DCC36DCE80EB271F59B41AEE0BFFBC98120BFF6A6677E143EDC6
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.).#.G.#.G.#.G.*...-.G.C.F.'.G.C.B.9.G.C.C.(.G.C.D.&.G...C.".G.F.F.!.G...F.(.G.#.F.,.G.F.B. .G.F.N...G.F.G.".G.F..".G.#...".G.F.E.".G.Rich#.G.........PE..L.....d...........!... .....................................................0......A,....@.............................m...D...,....p..........................T.......8...........................@...@...................<........................text.............................. ..`.rdata.. F.......H..................@..@.data...T\.......Z..................@....rsrc........p.......H..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\Cpprest141_2_10.DLL

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):347648
                        Entropy (8bit):7.68224951162498
                        Encrypted:false
                        SSDEEP:6144:4AwhPTbVx59l8hUcb3F9ynNoYrb3xvKzNcerjDlErzNXn3fmg+3mtF8qjq:FwXL8X9Dswh1qB3VD
                        MD5:ED5C2A47C8214F56EBDCFE8D748B00E9
                        SHA1:A253F0DA7429599B522876643172541C882D1B82
                        SHA-256:F8E5362237BA8AC8BC53A83E9D59ABA210D4989E001FB3EFD0E132C81728D5EB
                        SHA-512:EB01ADF567CCD14218819A0A631027354B1EEDDF2513EF29BE59D18259D79D9AC8728221FEF33BCA16F3617C2051C136DD320F4BED3E2DB70FBB0CA6216C65A6
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........I..o...o...o.......o...j...o...k...o...l...o...n...o...n...o...n..o.#.j...o.#.o...o.#.....o.#.m...o.Rich..o.........................PE..L......^...........!.....2..........().......P............................................@.........................`....&..........................................0`..8....................a......h`..@............P...............................text....0.......2.................. ..`.rdata...f...P...h...6..............@..@.data...T...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\DLGSETP.DLL

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):384000
                        Entropy (8bit):7.601004333981988
                        Encrypted:false
                        SSDEEP:6144:EJ4o3waaf8ShzoahVO/hp9ivV7b4YQq9OOFAdw2mSwSp/kWy01gqelSMOyCzVQry:oABFoD/He7PnF6zp/efqegZVQ/2
                        MD5:F8C03D8C56EA5D7760566B8EE30F7228
                        SHA1:2EFC3DCDD517EDC1242BD8795DA9CC6A6A9B6018
                        SHA-256:30E395FDFC1CA6645AED8C9A390F31E84256CEC7337920AEC6B83B4B8748449B
                        SHA-512:F5277CE0A765F23A0934E8C10F65A432B289BD0C6D5237EF406748E8D1D11FDF05511BA04727037064ECBF7324DD2F751EEA3B75DDE7FD04B302FB1DE1D1637B
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...#H..#H..#H...H..#H."I..#H.'I..#H. I..#He.'I..#He."I..#H.."H6.#H.&I..#H.&I..#H.*I..#H.#I..#H..H..#H..H..#H.!I..#HRich..#H........PE..L.....d...........!... .P...l.......A.......p............................................@.........................t...u...........................................T...8....................y......Hd..@............`..4...... ....................text....O.......P.................. ..`.rdata...>...`...@...T..............@..@.data...............................@....rsrc...............................@..@.reloc...@.......2..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\EMSMDB32.DLL

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):7117312
                        Entropy (8bit):6.943859621102669
                        Encrypted:false
                        SSDEEP:98304:iYmfAAXqYNYDiZLimZ3kD7zt0R7Ejb+ab+gWMDr+Wiz01Sz09FiApAjMv:itZRLimZ3W0R7E3xWSr+t0FN6Mv
                        MD5:74A4489329FD68C99D1A88D062D0BC0C
                        SHA1:2226A02C546B7C97984E25A8C7F337EC1D609F5E
                        SHA-256:EF085D21210540E0A9B7048C7EBF5FB79DE9C9CAE2056FE2F96C730036BE0844
                        SHA-512:AEFE0F1953BFC9C0ED916925C1964E24D4A97926B98FFA95FA29BE7EC4021D358503AE794C4951F4F0414A71E11AF70A4CBB70D6EFC14E8D574ACA9BE1BEC451
                        Malicious:true
                        Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........]{..<.T.<.T.<.T.D.T.<.T.F.U.<.T.F.T.<.T.F.U.<.T.F.U.<.T.F.U.<.T..{T.<.T..xT.<.TRN.U.<.TRN.U.<.T.<.T.;.T.F.U.<.T.F.U.<.T.F.U.>.T.F.U.<.T.F.T.<.T.<.T.<.T.F.U.<.TRich.<.T................PE..L......e...........!... ..E..................`F...............................m.......m...@...........................I......pQ.......W.......................W.....4.Q.8.....................I.....`.F.@.............E.....tNQ......................text...+.E.......E................. ..`.rdata........E.......E.............@..@.data.........Q..|....Q.............@....rsrc.........W......2W.............@..@.reloc...`....W..`...:W.............@..B................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):63040512
                        Entropy (8bit):6.894333525411048
                        Encrypted:false
                        SSDEEP:1572864:1uqFMPVFJzq5PNviaeCb8aHZlulKb1T1OoTfpgoZRfaynXv95:1iFJ6r3Pxf95
                        MD5:9937D4BEB061282B4FF743E27D42B2CB
                        SHA1:C7DB103B80DAC15A042890069B8856B7F7AED44E
                        SHA-256:49550A796000A0FC917E74B31A4380870E31B6C8894BD918478D76DB8BC21BA6
                        SHA-512:11EE1363A720D2352EBB31DDE0B1401A5CA91280C6BBAC6928A45501A51A8CDB3B545CAE56D88A184A079D9E9BB3311F6DB027544FDCF8FC29F73EDC7DF407CB
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......X.mj.r.9.r.9.r.9...9.r.9|..8.r.9|..8;r.9|..8.r.9|..8.r.9...8.r.9...8.r.9...8.r.9.r.9Gm.9y..8.r.9y..8.r.9y..8.o.9y..8.r.9y..9.r.9.r.9.r.9y..8.r.9Rich.r.9........PE..L......e..........#.... .._.........y........@f...@..........................P......*.....@.............................[.......h......$DW.................. ......,q..8...................(.q...... `.@.............`.....d........................text...,._......._................. ..`.rdata...bM...`..dM..._.............@..@.data................\..............@....detourc.............p..............@..@.c2r.....................................rsrc...$DW.....FW.................@..@.reloc...0... ..."..................@..B........................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\EXSEC32.DLL

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):645120
                        Entropy (8bit):7.381793811046088
                        Encrypted:false
                        SSDEEP:12288:Dx/ZPqNB/0bLC0Zgql6TJk8ENpS38T4gsTFckzKy/4WmZM:tZPOULC0I9kbNpS380rckKy/2e
                        MD5:75F7AFDCE14A809F78C677669E7B5726
                        SHA1:C787E14FDDB49E90F61136A7AC001D5CBCC23BE6
                        SHA-256:58CFCDCC0E8DCBCAE01F421BFD58965C28A99A15E051026374C4C46208B6DAFC
                        SHA-512:91954AA872A19CAACFDFBA782CD97F28CA7ECD0CB7A3D8031E46F399F2EA990E7DE5C47F04386379DB0AAF8C1CF144DE013B55E304303AB91F519CF030366323
                        Malicious:true
                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:S..[=..[=..[=..#...[=.!<..[=.!...[=.!8..[=.!9..[=.!>..[=..)9..[=..)<..[=..[<.DZ=.!8..[=.!4..[=.!=..[=.!...[=..[...[=.!?..[=.Rich.[=.........................PE..L...[..d...........!... .....<.......+.......................................0......X.....@..........................j..........................................LF......8....................;......X...@....................r.. ....................text...p........................... ..`.rdata..`...........................@..@.data....&..........................@....rsrc...............................@..@.reloc...P.......F..................@..B................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\EntityPicker.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):411136
                        Entropy (8bit):7.497902280191921
                        Encrypted:false
                        SSDEEP:12288:9qCXwwwmcy6SQNdDFu3pRV+qr6beVyZWT:9Awwmcy6TLDKp+qruYT
                        MD5:A648E9B1FBC813C31CA0F69FD3A4282E
                        SHA1:6FDAD4DBF92CA43026AC7961E5BC268C5D1466CF
                        SHA-256:172679A4140B7EA3D2321C0899738DBF875256B08E51D46CBB914CA6E283EF17
                        SHA-512:C9E8996DD75FBF1DE3E3AE68F1F79947DF18B133732750018DBB11BE94A3D3363CA52B9B9D192D5DE4BBDECA45C48C2C244E4C11B7295207C9FAAFD9024E5DCB
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q.Z.0...0...0...Hg..0...J...0...J...0...J...0...J...0..+B...0..+B...0...J...0...0...1...J...0...J...0...J...0...J...0...0c..0...J...0..Rich.0..........PE..L......d...........!... ............................................................[.....@..........................C......\K..|.......@2.......................+...^..8...................0...........@....................D.......................text............................... ..`.rdata..P...........................@..@.data........p.......R..............@....rsrc...@2.......4...l..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):5051392
                        Entropy (8bit):6.382068479919104
                        Encrypted:false
                        SSDEEP:98304:Z6iholXhy0Nk1FYiD9vv5X/thXLhMzw0eZ+PtFCDW:fhQhyHF3D9vR1hNiisYW
                        MD5:3C7FCB425CB58F374F0489717F51D9DD
                        SHA1:5D784A881DBAFF055ED337E1498F0E8385752C6E
                        SHA-256:E90BD87D9D70E6F94A79EF6FD1C651E360E9B45C8195922A8CB3BCDA631DDFA1
                        SHA-512:C09C535B1CF4C434137579650FE6CF9A326356C49113AE98DE356E4F9AFD690DE7472AB8A04802989BDDCA97B4C316A55EA5FBC25430D9C98270D9C1D1D0067A
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-...~...~...~..^~..~.......~......~......~/......~/.....~...~+..~......~..2~...~.......~.......~.......~.......~Rich...~........PE..L.....e............... .F/.........Y'/......./...@..........................`M......9M...@...................................=.T.....=.th...................P@.......3.8.....................2......j/.@............`/.......2......................text....D/......F/................. ..`.rdata......`/......J/.............@..@.data...X.... 3.......3.............@....c2r....|.....=.......=..................rsrc...th....=..j....=.............@....reloc.......P@.......@.............@..B........................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\IEAWSDC.DLL

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):592896
                        Entropy (8bit):7.427883863546983
                        Encrypted:false
                        SSDEEP:12288:vaGXr2uU4m1+YuD5klv6KOz4TN6NweKbz8sAJxSPQLSK:d6n4mxuSlv6KfQNIh5c
                        MD5:2F4482D7F9283D71EFC8A1F6F99A4159
                        SHA1:BF06B42BF179D016759EB07590EDAB96F0014117
                        SHA-256:E61266E4ED71BA8B35791751885690779C29009F22A2E9EF5FA92CE35A93409D
                        SHA-512:2EDA677C053C76F28425ED1160EACD71AA2576DAD19BF1AFDB6F831216F4950F195F67B665348BC1262918032EEEF4F3384E1B834756881B96DFA29E4D05688F
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$..WE..WE..WE...7..ZE...7...E..7?..FE..7?..@E..7?...E...7..uE...7..ZE..WE.._D..2?..\E..2?..|E..2?..VE..2?h.VE..2?..VE..RichWE..........................PE..L......d...........!... .`................................................... ............@..........................d......8l..................................L0..<z..8...................P8..........@............p.......f.......................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data...H............p..............@....rsrc...............................@..@.reloc...P.......P..................@..B................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\JitV.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):699392
                        Entropy (8bit):7.05104151563122
                        Encrypted:false
                        SSDEEP:12288:Q3+FbecUdzXf54bEDXJ9o5zIjsExpbReyxrB3nRNEC:QO1ecQUEDXJ9oRI4ExpEy73nRN
                        MD5:887CF3C6171F1C32996735D20BF93384
                        SHA1:156CFA2DF0B5368280735259281FAF520142A85D
                        SHA-256:F936A1A6B1C011C3E4C68C29BC9A7EFB415B54DE8FF6AFA94F7E8C9C5205F3F2
                        SHA-512:5D5A91E0C6B74B5CC6E9D15660BD36420BCC865D0F3015046986637C1C8465AB45AFCD0C4E42E12CD33569B7F89C3304A7554F73418D5AE44D7F04EA225EB9A3
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9..X...X...X..@*...X..@*..?X..@*...X..."...X..."...X..."...X..@*...X...X..FX..."...X..."...X..."...X..."|..X..."...X..Rich.X..........PE..L....~.d...........!... ...........................................................6.....@......................... ...........P....P..p....................`..,I......8...................P.......8r..@............................................text............................... ..`.rdata..\...........................@..@.data....0..........................@....detourc.....0......................@..@.rsrc...p....P....... ..............@..@.reloc.......`.......&..............@..B........................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\MAPIPH.DLL

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):613376
                        Entropy (8bit):7.311908925390133
                        Encrypted:false
                        SSDEEP:12288:t3++zQrwYwexY3j2BGGRIsJoVXsksPiLskj:t3RzQrwfexYTIGAXv+
                        MD5:AF7BF52B2E8898BC6D8126024ECAC15C
                        SHA1:13E0815A3FCAB1A74D6643AE39F2B24068B570F1
                        SHA-256:2FAC247C83D16BAEA163CFE3B78A6E9A3108BA311BA6A0E46936354EBE52AB71
                        SHA-512:4FDF3AFC18CA04718EB59502D4AD33F571345039ECA306C0B8F33C4717EE9EFB0CAB2C653AEADA427C0F8091737166EA72A742D0ED1E8427E0DD11715D61CE17
                        Malicious:true
                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........................*.........................................)......)......)....)........................................F.....................Rich............PE..L....j.d...........!... .F...................`............................................@.....................................h...............................hD.....8...................X7......Xm..@............`..p...@...@....................text...OE.......F.................. ..`.rdata.. G...`...H...J..............@..@.data....:.......8..................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\MIMEDIR.DLL

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):652288
                        Entropy (8bit):7.199964317805217
                        Encrypted:false
                        SSDEEP:12288:I8juIhpjVrlHi1YAfxvyzshy5MBXcoyc+rA+VhojnsaLnhTO4AMyXf:I8jTjVxHyT7ywXGVhojrhy3Pv
                        MD5:AA39A50C82E39395CF4C8AA9CDA864DA
                        SHA1:2D80790DBED81186FD7685B658572E6A750BDD78
                        SHA-256:34938999FF802953B42B9BA12B61E1DC511BFF991FD64E53EC04D4B68446745F
                        SHA-512:F4E21EC2E9B3FDEA53354CF2E1EA0A43D8B21C21713A822AFFBDA21BDC34DC340787E80585FC0C9C1ADED47CDCC54AB24B0141977B65DA4DB46A1CA8F989B17C
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......m;..)Zx.)Zx.)Zx. "..;Zx.I y.-Zx.I |.%Zx.I {.#Zx..(|.,Zx.I }.5Zx..(y."Zx.)Zy..[x.L }.*Zx.L q.xZx.L x.(Zx.L ..(Zx.)Z..(Zx.L z.(Zx.Rich)Zx.........................PE..L......d...........!... .....N............................................... ............@.....................................,.... ..........................h0..p...8..........................h...@............................................text............................... ..`.rdata..............................@..@.data...............................@....rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\MLCFG32.CPL

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):319488
                        Entropy (8bit):7.584837199392158
                        Encrypted:false
                        SSDEEP:6144:WZfA/1xY8hW70nnPb/SkHQnLLJnC1Fut5kyIiSgVMX8i9SXw9d:MfGs70nnPbakwn9C1yIiSgm8N+
                        MD5:47375D8637EF7D95B429AF1BDB4640F2
                        SHA1:EA2F40E151A4DA50F8E7CDBF56B6C1BE2024E212
                        SHA-256:AD2BC7CC413ADA85185449124C61CD97D2996016CBEB90294D7CC1BC0A1A246E
                        SHA-512:9BAF9426F7FE19402D5C09EF7316C851E7666FC4DD3E377C8F55CF9637670CB8299429A05EB75495B761ADE5D3C305D05995D63EF5049EC8EBFC116B3C7C0B55
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-...C...C...C......C.B...C.F...C.G...C.@...C.6.B...C.6.G...C...B...C.F...C.J...C.C...C.....C.......C.A...C.Rich..C.........PE..L...n..d...........!... ...........................................................S.....@.........................(...e...p........P...Q......................$....$..8...................@...........@............................................text.............................. ..`.rdata...V.......X..................@..@.data...H....0......................@....rsrc....Q...P...R...4..............@..@.reloc...`.......Z..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):19201536
                        Entropy (8bit):6.4603208316355705
                        Encrypted:false
                        SSDEEP:393216:saqvXUBAsPCq+06ZgN+IbwWKvoN+HtfYs6Irs:gXUBAsq66ZgwIbwhHg
                        MD5:21B6C8665875BFEAB14573D4A6208D48
                        SHA1:9A665B56D58E4DC2B8A98F15C3247FCBA3578F5D
                        SHA-256:A13138B104F8DC4760FB85A23386C20397B59B3BACDD4ED619A36F531A36E7A1
                        SHA-512:F8F5B8C805F2C74811E09994C27B30D3F616BAD77AB93EBF616E1C81685BD833536A52B2BD45035E5421A11A2872EBC1955FB2CA9FD272B65AF222BAD8FB4C5D
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>..1z..bz..bz..bs.Rbl..b...c~..b...ct..b...cu..b...c~..b...cW..b...ck..b...cl..bz..b:..b...cv..b...c...b...c{..b..>b{..bz.Vbx..b...c{..bRichz..b........PE..L....p.e............... .....{...................@..........................P%.......%...@.........................8..................$.I..................P...o..\...8..........................0...@......................`....................text.............................. ..`.rdata.............................@..@.data...L............v..............@....c2r.................R...................rsrc...$.I.......I..V..............@..@.reloc....*..P....).................@..B........................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\MSAEXP30.DLL

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):295936
                        Entropy (8bit):7.687458132575543
                        Encrypted:false
                        SSDEEP:6144:kzSG7kIv+FP8Q8gPh69g+2sf54DnDLuHbOu+zzCx+X4J:QSUkV8vgPh69WpDn3u+KEoJ
                        MD5:037353CB4DD4F9DCAD488939CC0B362D
                        SHA1:A2604B637243664DD560F2CCD9DD46F948F420D5
                        SHA-256:FCC712BEA51AA24EBD17E55BFCC3A76F60C233CF351008FDDB675DAA84FFB3F3
                        SHA-512:710A1D9D86C69910B76138BD44D4C571DB834540CD8178C43F555FC9E1F9DF249A64AD99C17A9A596C74C37B33DB114737C165B3181EA5D880032B0D1FCD8AC6
                        Malicious:true
                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ .B.A...A...A...;...A...9F..A...;...A...;...A...;...A...;...A...3...A...3...A...;...A...A..Q@...;...A...;...A...;*..A...AB..A...;...A..Rich.A..........................PE..L...+..d...........!... .....j......................................................I.....@.........................L...T.................................... ......,...8...........................X...@.......................@....................text...r........................... ..`.rdata...>.......@..................@..@.data...l...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIA.DLL

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1229824
                        Entropy (8bit):7.371851815111004
                        Encrypted:false
                        SSDEEP:24576:T47M2vvgRngDlnGr2PwlV3At4Y4bcV6uKZHTc+EXo1oD39BzSGM7P:U7MRTrF3xdZHTzv1oDtBOH7P
                        MD5:CEBBD470D6C1A753860170132F5CADA4
                        SHA1:C4BB8CC92D50FAF7448DB4826D6E676F9E62D39F
                        SHA-256:6F1F774E73E9DF82533CA0B852957FC92AEB6B97BBC614BD880C7D82EEFE8C2E
                        SHA-512:7B2E93B429FE7DD32CFCD546B2DE12F1283A359FBE5AFCF06C390126390009F597E6CA8B9F2F82B2C623210B41CC44E43C6961DDC008799176CF517BE255EFD3
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......d..B ... ... ...).`.2...@...$...@...,...@.......@...<......!......!......&......+... .......E.......E.......E...!...E...!... .d.!...E...!...Rich ...........PE..L...?..d...........!... .N...`......p........p......................................ZQ....@.....................................,....P.. ....................`...k..$...8....................w.......f..@............`......4........................text....M.......N.................. ..`.rdata..x....`.......R..............@..@.data....,... ..."..................@....rsrc... ....P.......2..............@..@.reloc.......`.......:..............@..B........................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIANEXT.DLL

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1304576
                        Entropy (8bit):7.371398791893511
                        Encrypted:false
                        SSDEEP:24576:rKGfz+LhHAv9uPHHogfKybCrA8AegVxBPHV/vNvBTcaaQk5jXe5Jo34XKbau:rKGb+LyMPHTb9JNvBTrUhiXX
                        MD5:13CECA8FFDD6493B4F814CA562641620
                        SHA1:D77CEDBFB4215DAF394033471A926D3DABBCA1B9
                        SHA-256:15FF8472FD50E522E0915531E9CFCFDEAC83E7A63E1FD9119BE40ABE48BCB7E8
                        SHA-512:F768E8B2BF705471B2FC628BEAFDF4B47649C9B2AA8E938941EE8FF8F1B6A1B18B47DEB19DDB7420D5A28CF45AC3898F39EED714FDF1103D54C53C461CEE60F9
                        Malicious:true
                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......D..B..............`.....`.......`.......`.....................`.............................e...#...e.......e.......e.........d.....e.......Rich....................PE..L......d...........!... . ...................@............................... ......zm....@.....................................,....`..0....................p..,p......8...................Hm.......6..@............0......`........................text...`........ .................. ..`.rdata.......0.......$..............@..@.data... 3... ...(..................@....rsrc...0....`.......0..............@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSPECTRE.DLL

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):18690560
                        Entropy (8bit):7.005902729897173
                        Encrypted:false
                        SSDEEP:393216:TZm8BCrGT+SMiHYkiX4Arm95aggjIjHpmKyVM/Z1KrT:TZm2UGT+SMmYkcWa+pqM/Z12T
                        MD5:B22DA853C14FC139D5A9FD01ACF133FC
                        SHA1:E299C0FE4B1793A19121935880FE0870350DA256
                        SHA-256:F66348719BAFEE5EC333DA0338D44E2AEA88321581B2863A953A9786D344EBFD
                        SHA-512:5ADA64B690DCC08C671CABD037C0AB99770B6ADAB25A801864E82C50BF0C21F22DF2535A837AAB4813EE7EB3CAA17BE8BFFE73496C8CAE9F4600C5622C1F3EB7
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................m.................................m......................k.......k.......m...............j.......j.......M..............z.......z..............z...........U.................................i............Rich............................PE..L......d...........!... ......O......p ..................................................@.............................x...h........p..........................LI.. ..8..........................H...@...........................................text............................... ..`.rdata...C0.....D0.................@..@.data...tM... ......................@....rsrc........p......................@..@.reloc....:......v:.................@..B................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\MSPST32.DLL

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2413056
                        Entropy (8bit):7.17271031216576
                        Encrypted:false
                        SSDEEP:49152:OKQSysJKEczKfGh9z6rvWHBQjB3E655Add7KrhDasi2bLGy:OKQtef84b+K2Ie7KrkrKLx
                        MD5:7B53B4F57B333CEA91466E6A44F47878
                        SHA1:38062F9BF8A2B25595FE698EBCEC6830EAD15C3B
                        SHA-256:1D507303A3C66F44E7FA4D3781DE1FA03994CFBCC6F1C985FE227FFD42441870
                        SHA-512:CEFDC38F4587377992BFCB3296E36DA945A24A7DC38C8EDEB76603370ED78E324B04BF5170A3983C565F768E13F697FE2086C66A9CB429D579420DDAF4869BEE
                        Malicious:true
                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$...........W.qYW.qYW.qY^..YC.qY7.pXS.qY7.uX[.qY7.rXY.qY.l.YV.qY.l.YV.qY..uXP.qY7.tXw.qY2.pXU.qY..pXP.qYW.pY..qY2.tXT.qY2.xXW.qY2.qXV.qY2..YV.qYW..YV.qY2.sXV.qYRichW.qY................PE..L...[..d...........!... .....4...............................................`%.......$...@.............................v.......T....@..X....................P..P....:..8...............................@....................... ....................text............................... ..`.rdata...[.......\..................@..@.data........@......................@....rsrc...X....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\MSPUB.EXE

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):13445120
                        Entropy (8bit):6.435554287063595
                        Encrypted:false
                        SSDEEP:196608:++NqeXjyS39FYYlQWH+O5DEi/h8a2ky4ACKv0aFliDrRH:++NnH39FYKEK8Sy4ACePEDrRH
                        MD5:BEB6C79D1772F168224B0736318A6588
                        SHA1:BCB68C8B5010B5DA81E9601F361804487E01BCE2
                        SHA-256:0AFB793509819158A8E437CE3EEF1A9F783996382EA42BAB5642968F905351FC
                        SHA-512:110CAF49B86E83652FBC7659A76E4DD1E9077F3F79E44C9FAFED85A706616A0F8D409A19A9B1EE0424E161EA1E0D3CD3A38865D0B2DF6AB6476B315ACB831C9D
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........D..*..*..*......*..+..*.....*..)..*..+..*../..*......*...,..*...+...*..+.5.*../..*..$..*.....*.....*..(..*.Rich.*.................PE..L....m.e............... ..i...E...............j...@..........................P......T.....@.....................................................................'...{.8...................HUl.......k.@.............j.4...h.{......................text.....i.......i................. ..`.rdata........j.......i.............@..@.data...8.....{..4...z{.............@....c2r.....................................rsrc...............................@..@.reloc...p#.....f#................@..B................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\MeetingJoinAxOC.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):321024
                        Entropy (8bit):7.627325639811347
                        Encrypted:false
                        SSDEEP:6144:NRRVZUawZnrl2kUi778JRJ9sqWglm2qnWa9UQyh4KxjMThEj7pGKsTaS8ad4oHp:NbTmlrUdJKH8OMQ441TWj7pG3T7fdj
                        MD5:5E92077DB190E6C0AAC77E0B849B1305
                        SHA1:FDC24DDAA91A20CF32A722DE146EFABD7C58F2C2
                        SHA-256:624170DE919422DAEB3C1305CCA10384C86DFF4B2563379C4E1CB8634B214077
                        SHA-512:27565A070AE42CF01D9939CE4088CF8ABF706216BB6FD87E2558CDB39559E91F76DDF8595F76F02A58C87955811BFC96357F67BC4459010320F8BA87BD9FEE4C
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........k.b.8.b.8.b.8..+8.b.8...9.b.8...9.b.8...9.b.8...9.b.84..9.b.84..9.b.8.b.8Pb.8...9.b.8...9.b.8...9.b.8..G8.b.8.b/8.b.8...9.b.8Rich.b.8........................PE..L......d...........!... .....x......I........................................ .......:....@.................................P...........0....................0..,.......8...........................p...@...............P............................text............................... ..`.rdata..L9.......:..................@..@.data...............................@....rsrc...0...........................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\appsharingmediaprovider.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):351232
                        Entropy (8bit):7.661548283501416
                        Encrypted:false
                        SSDEEP:6144:VitGp7g/VeGXmvnYFfDwZJS4RTkaDYeMeJEiV3rgeUlc51f/i916WV:wtGp7gjXF8ZJ9AasiV7sa51fm16WV
                        MD5:162B5E1B84BDA19AA7EAE1011DF5F077
                        SHA1:A377B142FFE2859C49823BD5DE0E59DC56F01435
                        SHA-256:8F33088614BC1AF27F314DFF67E83ACFDDA1B344230A628CF8C6DB25C9D38BE3
                        SHA-512:61A7CA745E839263D218D635F55EEFA23AD0CC0D5817628B032525953599B28C8215D0A1C07D488D1809EDA91B3E3484C393CFA87A16D2329A8779A73B025188
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........1...P...P...P...(m..P...*...P...*...P...*...P...*...P...*...P..\"...P..\"...P...P..TP...*...P...*...P...*...P...*...P...*...P..Rich.P..........................PE..L......d...........!... ............9...............................................c.....@..........................l......Ln......................................D|..8...................pR......(M..@...............H....l.......................text............................... ..`.rdata...}.......~..................@..@.data...$............r..............@....rsrc................|..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\appshcom.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):543744
                        Entropy (8bit):7.426735463650804
                        Encrypted:false
                        SSDEEP:12288:TKygmSqL+L66exyvc8LpgW2+PlaSd4Nh2r3UvEGwPs5RXKWyJWYW:ON/I+1exyvcGpg7+Pll2Nh2L+ErJWYW
                        MD5:613FDB399274DE6601CBE2F01AD18A76
                        SHA1:8B1049F83BFD349411F92690005121F8AA8A4093
                        SHA-256:7D21CB64B238D229F1597230E924B7DD2248F9E332E9119710F715C296853B54
                        SHA-512:379036D95940FE8DAAC0B664FC77993440F585CE562CFE7D443D9F7C8AF2A898FDEE0907AFD504DB2C0E895EC67ABE00C488823B0F52D0C270479B12780988E2
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>...zyi.zyi.zyi.]...xyi.....`yi.zyh.|xi.....yyi.....~yi.....qyi.....syi......yi.]...{yi.]...Vyi.]...{yi.]...{yi.Richzyi.................PE..L.....|a...........!.....j..........BU.......................................p......;.....@.........................<c..k....c............................... ...?..tx..8...........................p...@............................................text...)i.......j.................. ..`.data...L............n..............@....rsrc................z..............@..@.reloc...P... ...D..................@..B........................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\appshvw.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):3463680
                        Entropy (8bit):6.982333825009289
                        Encrypted:false
                        SSDEEP:98304:O1Pa55CNtgqPx84lS7eJX1FNopV8pOlN:O1PavyKqPxTlSQ1FCpVd
                        MD5:F9323F3E955FB26AEB49DD6E29D285F6
                        SHA1:DB9E7A4685080EF27939E5BD7FB213C1ECA431D7
                        SHA-256:D8E8BA570591FFE484885726F60CF1E41BE8E59918B353E925C401C7C6C72EB5
                        SHA-512:507B81B37F9AB11F3999FC313BE77C3F0A2FCA96D2559819FC0715E4DF1B65E21EB6FD73F8619C5FBA1B1664BF7D8D18EADFD193AC26609AA0C32BD8F4C2C5A5
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......,.p.h...h...h...Oc..l.....i.....L.....l...h......`..k...`..c...`..e...`..c.....|...Oc..i...Oc.....Oc..i...Oc..i...Richh...........................PE..L.....|a...........!.........t......LQ........................................5.....:"5...@....................................|....@"......................`,.\...................................@...@............................................text............................... ..`.data....B.......z..................@....rsrc........@"......X!.............@..@.reloc...p...`,..j...p+.............@..B................................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\atl110.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):401920
                        Entropy (8bit):7.498869280351475
                        Encrypted:false
                        SSDEEP:6144:G0vLpbRr9KpUTuV0wKD7ND3VqGMFiMIMrHiEANmR1Sa/I8pX8oapkm4exqN:G0tbJrTmKD7NDiDuExRYp8lrg
                        MD5:90A1C131A25E27B4A8A78AD8DD147EA5
                        SHA1:E170B7D05D2109D0F2323E8F9C3D6EA1EF787B37
                        SHA-256:51546A5EF4DD2F9EAD863C9C1F4E501AB4CC8EBB9A5DB27DCCD4090BAD4C62EE
                        SHA-512:926F8C320AAE14917005392E6E57FC904D63C1362E14E428554608CA31D3E7BD312D10AABF25D8ECAD17ABDFF22CBDD5C000C621F66DA58497B2D0502B3CB127
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................T.&.....T.$.....YvU.....YvV.....T.!.........s...YvW.....YvR.....YvQ.....YvT.....Rich............................PE..L......Q..........#!.................,....................................................@..................................0..(....@..."...................p......P................................b..@............1..p...T........................text............................... ..`.data...t1..........................@....idata.......0......................@..@.rsrc...."...@...$..................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\concrt140.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):505344
                        Entropy (8bit):7.528814341245892
                        Encrypted:false
                        SSDEEP:12288:SO4lO0qcfuEkbAznoJ/lYL3+n4QxVOyCuGs:SJlO0qwgAznoJ/lYLODXfGs
                        MD5:1D2E62ACD6D3BDA44B875649AEBF745D
                        SHA1:407BDACCBC950C6CD1A198FC7CF9FB75D13082EB
                        SHA-256:288F91AB930059C16237E4EC5BFAF5B35BC739202C790CCCCA83F1EF450BB155
                        SHA-512:677E571800DB32B71CA8168FC6B6EA6A5620AFD14D2329A4C048276E4D8BF4BD80FD1C333FD4098250D2CD2D2756FFB6A064590B3739AEBE17E87614F567D0E0
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................1.........j..............i..............................................Rich...................PE..L...)G$O..........#!... .0...x..............@....................................../.....@A.............................K..@....................................+...<..T............................;..@...............8............................text...<........0.................. ..`.data....4...@...2...4..............@....idata...............f..............@..@.rsrc................x..............@..@.reloc...@.......:...|..............@..B................................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\cpprestsdk.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2381824
                        Entropy (8bit):7.167235801786137
                        Encrypted:false
                        SSDEEP:49152:37TFG5t+YGgN/iGsLPiePhG3UbvUAH5myGk8Gj1HhA:rZcvfsF55GLG
                        MD5:2DD014ADD092EB85D7205FB6D9A534C7
                        SHA1:4B22BB91239E73451D1753C78AA6796DDF9A66AD
                        SHA-256:3F877EE496E5E18AE64E230BC559E0FB53617229375416249077425415242CDA
                        SHA-512:6BD0692AE575FB767800F0EC52D5ADEAF1A047FD5E819EEFED2CAD6BACE6C6F856288C1980D0AD418F56076744410E77B14EB7E29C8189CF78583F6A411EC76E
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A.$K twK twK twBX.wS tw+ZuvM tw+Zqvk tw+ZpvG tw+ZwvF tw.RuvL twK uw."tw.ZqvJ tw.Z}v."tw.ZtvJ tw.Z.wJ tw.ZvvJ twRichK tw........................PE..L...l..d...........!... ............W.........................................$.....,u$...@.........................$...........h....... ........................Y..`...8...............................@...................,........................text...3........................... ..`.rdata... ......."..................@..@.data...`...........................@....rsrc... ...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):47554560
                        Entropy (8bit):6.805788719557697
                        Encrypted:false
                        SSDEEP:786432:WKlbtUIWWlUKOapH0P5YG3KRLc140vou9Gqboy/ABm7/Z6QaeuIGQvjctLm1:WGWIWCa5YG3KRL440v3GqUyEm7ROetGe
                        MD5:BEA3BD18F7B3735F6ED159B5513FADB6
                        SHA1:FEBEEABC988D0DBA1947CBC05D52D40D9F0FF1AF
                        SHA-256:56E4E4E8C82D99B003AE3ADF9E1D8E1D3BDEF466D674F3943D1EE585BF068C22
                        SHA-512:B235967455BC78CD34DC5289820E61EA5049B52FA2434AA09A8B455FB2194E2DDDE432BD3F47F0C9E7F94227F596F19E4446BCDEA776289A9DC141F379B4DA29
                        Malicious:true
                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........j............sI.....q......q......q......q.....Jy.....Jy.....Jy.............q......q......q......q......q%.....M.....q.....Rich....................PE..L...T..e............... ............h.......`....@.......................................@.........................4...^....P..T....`...]>...................S..l......8........................... 5..@............ ..l............................text...P........................... ..`.rdata..8.;.. ....;.................@..@.data....<.......0..................@....detourc.....0......................@..@.c2r....|....P...........................rsrc....]>..`...^>.................@..@.reloc...0....S..$...|S.............@..B................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):25299968
                        Entropy (8bit):5.949579088957398
                        Encrypted:false
                        SSDEEP:98304:G5GKto79awVBHZ5vk4YJZdeWbWFCE/c9CUELbX7p97zE/MtG/JGgpp7tj7RQyzpU:GSXVBHTvideTRyGkZj7Oyz/I9
                        MD5:8AC377FB4863170FD62F0C4A913F0B64
                        SHA1:CF5803CB4F33784F14837B3F70240995BF9F5352
                        SHA-256:2409CD9F5D2E6FB268AF73BF4071E4C01BA669A42DDD271CE3BBC064797A7EF3
                        SHA-512:20D0C94A982461DAA664A3E4E5BB0B6E9405AF2D2CFD5D6BA8EC3B56EE47F3666034AC10778A563D2E84845D6546D132A2DAA62A05A18447AFD46E134CEBE83A
                        Malicious:true
                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........R..3...3...3...K...3...I...3...I...3...I...3...I...3...m...3...I...3...I...3..[A...3..[A...3..[A...3...3...:...I...3...I...1...I...3...Ic..3...3...3...I...3..Rich.3..........PE..L...q..e..........#.... .&I...$......7........I...@..........................p............@...........................d.......o.0.....o.\.....................f.......d.8.....................Z.....@.W.@............@I.....,.d......................text...s$I......&I................. ..`.rdata.......@I......*I.............@..@.data.........d.......d.............@....c2r....X.....o......<o..................rsrc...\.....o......@o.............@..@.reloc........f......<f.............@..B................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):963584
                        Entropy (8bit):5.083585192337844
                        Encrypted:false
                        SSDEEP:6144:cnyajp++SXeSC+hBMdNRneNMToeGYKne2UWmkXw8h9FPl+6jnY8jY37KXZXwIJrs:ajszevUEcne6mqwW86jnFIIJrN
                        MD5:B287F133A2131CD145B825FCFE1BD007
                        SHA1:177FEBE3995D3336A5852DAF1B75E64EC325C2DF
                        SHA-256:55762D403C4A6C9F01532D1A116010AA363C2AE9212FE6031884E71C711F308E
                        SHA-512:07179B623B46FF29C9A548909A76B603B514C991DDF8270ACCD59EAF24B3A768932FE92A42F4D9CF059C436FA18EF87887045FE1919D577E14AA8932A72165D8
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........6...e...e...e.Te...e...d...e...d...e...d...e...d...e1..d...e1..d...e...e...e...d...e...d...e..8e...e..Pe...e...d...eRich...e........................PE..L....:.e............... .....N...................@..................................r....@..................................@.......P.......................P......x...8...................8a.......X..@....................u.......................text.............................. ..`.rdata.............................@..@.data...x............z..............@....c2r....@....@...........................rsrc........P......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\lyncDesktopViewModel.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):13639680
                        Entropy (8bit):6.890274423770264
                        Encrypted:false
                        SSDEEP:196608:SDRfdSoapc6y6izTlZ+R3p7evOnDtllw61vg:S1Yir+H7eKDvg
                        MD5:D0333C15D4161DE81FB0D8816BA40734
                        SHA1:B7ED8A1B5A978FBD31C6449AEB3DDDD9534737D9
                        SHA-256:B724D3446E0CFB62FA120B1883F840082280535EFAFB1B86A36CDF6D2960A613
                        SHA-512:DFB4C24D28012FD16F82BCDE9C19BAE15DBEBFF08EC1A6B6B57429CF04472C5F2547CBFEF0EA8C0630818EC0B0571C84FD2BB39D63001A1EDE60EF99E3C84816
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.....................I....................................................................................%..........Rich...........PE..L....^.d...........!... ..V...c.....#B....... W..............................`............@.........................DC.......j.....................................P..8....................:v......Cg.@.............V.X...$T.......................text.....V.......V................. ..`.rdata...(:...V..*:...V.............@..@.data.............................@....rsrc...............................@..@.reloc....*.......*.................@..B........................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\mce.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1959424
                        Entropy (8bit):6.989680817197844
                        Encrypted:false
                        SSDEEP:24576:nsXAAdox1tpo9RZKEWMHo/vdoYeZugWsmXx2gV93dx/rjD4KB1LdnGjGg3ev+y:AssZxWM6TeZQR33XD97dGjrc
                        MD5:4DFE514A9924DE67031A7FD43F8545C3
                        SHA1:A686FB8F2553846481F67B3C95B2353E913673A0
                        SHA-256:7B2CC47E325D48AF6F35022B452F48F0FB05CE1B9889C5024A788A348F452C6C
                        SHA-512:88FC65312EB493A46F50DE791B774B226804B98C8E2C53419C48204969DE34F2FD670DE2040A9B47C6804B3988DCCB6791AEC77AC5670E8E30FDA73896EEDD21
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............~.~.~.a...~.a...~...~.a...~.YY..~.YY...~.YY..u.~.a...~.a...~.Z..}.~.Z..~.Z..~.Z..~.Rich..~.................PE..L.....t[...........!................................................................w.....@.........................0.......D............"..........................`...8........................... >..@............................................text............................... ..`.orpc............................... ..`.rdata..............................@..@.data...x...........................@....rsrc....".......$...P..............@..@.reloc...........r...t..............@..B................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\mce_office.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):4472832
                        Entropy (8bit):6.987399911700877
                        Encrypted:false
                        SSDEEP:49152:VfbgMed3/vtJ9m/t3kja2CKj3rRRuElBBov3S4W1EB3ra/Chir9B+ltjSLVfeL:Vfwwtqdj9RVJVm
                        MD5:53B5B6BCEA906696C403C71C3C2694F0
                        SHA1:7E733B15B7D7CD3EB234A6FD6AECDF4376107336
                        SHA-256:A31FE0A2ED7D75E21806F5B330B37F7B4289D096821FCE7C73098B7FE7DE4553
                        SHA-512:AB7E5DBF7DA9688B0FCEF3070B0EE961796B0CA4289D6302689A838D0B71D306101C864A299C13497CDA65F81B25B5D6945F0EB824D8DC28580705AE94F4B46E
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-,.VLB.VLB.VLB.>A.FLB.>G.LB.66F.DLB.66A.OLB.>F.MLB.>C.]LB.VLC.LB.66G..LB.36K.ZMB.36B.WLB.36..WLB.VL..WLB.36@.WLB.RichVLB.........PE..L...eb.d...........!... ......).....!q........................................D.....J.D...@..........................<......H>..x........S................... 9.....HM..8...................p`..........@....................=..@....................text............................... ..`.rdata...~..........................@..@.data....k...P...J...B..............@....rsrc....S.......T..................@..@.reloc...`... 9..`....8.............@..B................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\mfc140u.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):5652992
                        Entropy (8bit):7.2436183791247934
                        Encrypted:false
                        SSDEEP:98304:nGmkSfKOylbkEdlihk1Vt3avFLOAkGkzdnEVomFHKnPMh7G:G4CVnAk1Vt3sFLOyomFHKnPK
                        MD5:941291DF59E4D6452C7B2B8A6DAB216C
                        SHA1:21937B60DAE6FD1DAAA5056BA8D1B5047D77E770
                        SHA-256:FA9C0AD50045C2A8E97B418BD77E647E8EA2CDF28D5C07E79340FB7E4596C6C8
                        SHA-512:91CD8E9C69B82AFFE0B2B2C18C1AA947EB2F71DD3FF4D26AAE1EA27D2830B467A27EBD3E775572656688F3C623A872870259E20E2BF2B6E96DDC771014ED903C
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......prZ.4.4.4.4.4.4..a1.5.4..a3.5.4..a0...4.=k.. .4.Ti5.6.4.Ti0.8.4.Ti7.>.4..a5.'.4.4.5...4.Ti1.#.4.Ti=...4.Ti4.5.4.Ti..5.4.Ti6.5.4.Rich4.4.........................PE..L...Z............#!... ../..n........+......./...............................V.......V...@A............................L.....0......01.`.....................F.........T............................5..@.............0.....0........................text..../......./................. ..`.data...L...../......./.............@....idata..JS....0..T...`0.............@..@.didat....... 1.......0.............@....rsrc...`....01.......0.............@..@.reloc........F......PF.............@..B................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\mip_pdf_sdk.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):11795456
                        Entropy (8bit):7.479501983425282
                        Encrypted:false
                        SSDEEP:196608:grSXgitiC124248EPWKRlY74SD9qWUourlnYS:grSEEuK/A39bUourlnY
                        MD5:3EA4D5C3BD5CF9AE659203B7E05CB9A6
                        SHA1:86FA5BAA726B212E3C8E4BB998ABEFDA039341C7
                        SHA-256:16E8F3A25433B418B33B7AB31DA29F67162F88E2123DB31A48190624C5D9D019
                        SHA-512:DB56B449922307BF08EFC798D77BB60162BB778D38A68C0C4277FDF9B94614C50CA440BEE762211CF807E45E108B708B50B8A50473D4EA510E83BDE71F5C07D5
                        Malicious:true
                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........K..C*..C*..C*..%Ez.F*..._..H*..._..R*..._..E*..rvz.A*...R..D*..._...+..._..b*..C*..1(..._..\*..._..\*..._...+..._..B*..._x.B*..._..B*..RichC*..........................PE..L...e..c...........!......E...f.....`C?.......E.....................................[.....@A........................................p..H........................Q...e..T....................f...... e..@.............E.....Dx..`....................text....E.......E................. ..`.rdata....^...E...^...E.............@..@.data...<....P.......<..............@....didat..T....`.....................@....rsrc...H....p.....................@..@.reloc... .........................@..B........................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2202112
                        Entropy (8bit):7.034724500933061
                        Encrypted:false
                        SSDEEP:49152:V1tFYFtufwBIQri7MSj7T5/k30Ewdn2IcEITJemL5SQTds2rHXQ/D+gOmn:V1tFYCweQu7MSj7T5/k31wdn2bsAQ//r
                        MD5:163DE4796A374E266D7F21022458F4D6
                        SHA1:BFF16E839C9398FA2E08451232D2859A19C71EA9
                        SHA-256:90A267673649383953C030A7E73536BAB3EFC60EAF084E340B58B94AF7840545
                        SHA-512:A7100219670D40FC776E44F9ABCACE6FCEDC7CD41AD1D2AFCF8B1A4387DF55F9BB3B33EB9544E6CB96424C31491F97025DB8286E429317F429C1AEC809F54104
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$....................A........................8.......8......8......8.........g............M..........-.....E..........Rich...................PE..L......e............... .f........................@...........................".......!...@..................................`..T....p.. ........................0...#..8..........................8...@...............H....... ....................text....e.......f.................. ..`.rdata..$............j..............@..@.data........0......................@....detourc.....@......................@..@.c2r....|....`...........................rsrc... ....p......................@..@.reloc...........r...(..............@..B........................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_bho.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):733696
                        Entropy (8bit):7.303917203902134
                        Encrypted:false
                        SSDEEP:12288:KTHuCmQttX0Onzjuy6WmD3F3U5miArEYDWjqReoEFmVeb74:ittzjuy8DXrrEYZsNGeX
                        MD5:81247FABCD9EAE6389950BA58F558D5A
                        SHA1:A53061A49E62F0A06F169EDB2C2762D2851CF1DA
                        SHA-256:94AD9E55129F8588DECF08784C0976A313B9EF641B4BD8A79EE7CAE6EFAF351A
                        SHA-512:84D6B79364F5196131042190B6315580CB1CFB8F758822CDCA4BBAD7A7A1EB249E67DD668AFEABE2F2BB562EA386C6EBFA3BE428D75AD6F3ADE28C55E1EE0E59
                        Malicious:true
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...I..e..........#!.....>.......... ....................................................@A.........................7......L8..........h........................G..$%..T...................x$.......R...............<...............................text....=.......>.................. ..`.rdata...%...P...&...B..............@..@.data....6...........h..............@....00cfg..............................@..@.tls................................@....rsrc...h...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\EBWebView\x86\EmbeddedBrowserWebView.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):4822528
                        Entropy (8bit):6.926995200683009
                        Encrypted:false
                        SSDEEP:98304:s6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwH:ymx0IUBdnBD/HkwEEsHWlh
                        MD5:165771EFB3B6FFCF74326FA3C532E18E
                        SHA1:924933B29275C11B723CEA9E753045DE083D0832
                        SHA-256:57FC1FD7D99AD5FBECA5F687BC8C88F86B8998428E1FD658C7C04B751D31641E
                        SHA-512:846DAC02803279A824858860A643728CE3CB328F158CF3EB2286775375F5A259802692CEC9B753A9086D19F6F38BF85E6360D23DA5DFE505A089A762C256DD48
                        Malicious:true
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...:J.e..........#!......7..........!4......................................@K.....UTJ...@A..........................@.J...#.A.P....@C......................PD.....X.@.8.....................@......77...............A.h.....@......................text...+.7.......7................. ..`.rdata.......07.......7.............@..@.data...(....PA..V...6A.............@....00cfg........B.......A.............@..@.rodata.`.....C.......A............. ..`.tls..........C.......A.............@...CPADinfo(.... C.......A.............@...malloc_h.....0C.......A............. ..`.rsrc........@C.......A.............@..@.reloc.......PD.......B.............@..B........................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):503296
                        Entropy (8bit):7.337020791561376
                        Encrypted:false
                        SSDEEP:12288:YYN9qZIHIqsffohhjA9U2Yxh+ZrViY6bp8u/aqY+yhqM1nB9WPNbk8:Y2sZITafohhWU2Yxhkr1UYnXHAPa
                        MD5:5C74351999BD2D235FAFDF5C6DA12A6B
                        SHA1:F091F656299DBD45113F6012D43472AF331D9270
                        SHA-256:965B974E56D836D4E25B11E0812B4E0640564353A73E5482A4520394519D0C99
                        SHA-512:89E3A1FCF631BC6C507B8047BA51BC208C44A6C7BA19BA74ACD9698932B8531F866A8D8ED6BE061DD483A7368C480CE241733D37D5143AB5B46487ABF3977879
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............wU..wU..wU.tT..wU.rTg.wU..sT..wU..tT..wU..rT..wU.sT..wU.qT..wU.vT..wU..vUQ.wUK.~T..wUK..U..wUK.uT..wURich..wU........PE..L......d............................p.............@.................................7-....@..................................y..........H3...........................g..p....................g..........@....................x.......................text............................... ..`.rdata...z.......|..................@..@.data....'...........z..............@....didat..$...........................@....rsrc...H3.......4..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                        C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\msedgeupdate.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2936320
                        Entropy (8bit):7.248584217677397
                        Encrypted:false
                        SSDEEP:49152:BOGJ+oaLeI0n/soNjBmCuDctOTs75a78tSnN0vSQQTgvYkHO+:B/J+oaLLoYCuDEn08tON0aQxvYkH5
                        MD5:222A725A9DD4961849F134B663630021
                        SHA1:3D7B13FEAA157D70FFA7D2FCDFD785A94925585F
                        SHA-256:DB2162402FAC9EE2988889EB930661F28B592EFC9276A01FF040C5DCFF15FA0A
                        SHA-512:4A78689DEDC34D68A19865586679A21F45D9BBEE7C1B64A517F95074F227B8132CD68FED47E4ABA051AB48803027BF2B4025229C740A5D29567DF54A99ED4C03
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........-g.CL..CL..CL..W'..BL..W'..RL..W'...L..!4..RL..!4..YL..!4...L..W'..\L..W'..BL..W'..JL..CL...N...5..]M...5..BL...5..BL..CL...L...5..BL..RichCL..................PE..L......d...........!.........~......p........................................0-.......-...@A.........................P..X...HQ..d.......@:...................@ .L...D...p...........................0...@....................)..@....................text............................... ..`.rdata..T...........................@..@.data...Tz...p...L...\..............@....didat..............................@....rsrc...@:.......<..................@..@.reloc.......@ .....................@..B................................................................................................................................................................................................................................

                        C:\Program Files\7-Zip\7z.sfx

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):439808
                        Entropy (8bit):7.446651088342343
                        Encrypted:false
                        SSDEEP:12288:w1H5RaB8lk6+Xz0RaYVTTdsQJ07hSt5YJ:wtaB8z+Xz0RamTTd102Y
                        MD5:BD55E612B9DACB2289EA2D3EE8D56B58
                        SHA1:9D8E5FB2AC71C8521193DFAC14BB6D7F7684A3EE
                        SHA-256:592DEE67F80EB984E7E20274179CBCEE7D1B109B87233ED9687ECE33376A9412
                        SHA-512:A0F534830D4DF1F4B7056703FB44362AB4E2509F5A3D09A9241654F9A4AC05FCBB3B136A0BD8511DF8ECCBD30D5714AAC22B3F884E0700A40DD29C7DCFBEC2AE
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#...M...M...M..F...M.|.C...M..G...M..I...M.q.....M...L.N.M.|.....M...F..M..I...M...G...M..B....M.g.N...M.8.K...M.Rich..M.........................PE..L....].d........../...............................@..........................0.......A...................................................&..............................................................................h............................text............................... ..`.rdata...h.......j..................@..@.data...tE...0......................@....sxdata.............................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................

                        C:\Program Files\7-Zip\7zCon.sfx

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):430592
                        Entropy (8bit):7.523712347887246
                        Encrypted:false
                        SSDEEP:12288:D4vFdZnsBNy6pYIStwnHVb8Qa3+ddoxnRqCG:D4dfsBppYIStwHVnaOToG
                        MD5:DF8E5A62C97FB25732F752166C405A3B
                        SHA1:7847BF87D57D11160FCC7A9804F28CD4F37B374A
                        SHA-256:D605EAAF21E0409E9A10EFBB3E73C464F08D193881968AD05CE6B07F9EBCA9BE
                        SHA-512:DCE92AAEF39D702AE4012B8D5EE1F8104C42DCB98B9B682C68C825C3D9622B470D64491734D6BDFC270CF22158C5F51A4AABFDE99942141225E1E9D521FF05B6
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T.YC5..C5..C5..,*..@5...)..K5..,*..H5..,*..A5...=..B5..C5..55...=..D5..u....5..UJ..B5..u...A5..X.Y.S5...G..@5...3..B5..RichC5..........................PE..L......d........../......t...........Z............@.........................................................................D...d....`...............................................................................................................text....s.......t.................. ..`.rdata...e.......f...x..............@..@.data...tF..........................@....sxdata......P......................@....rsrc........`......................@..@................................................................................................................................................................................................................................................................................

                        C:\Program Files\7-Zip\Uninstall.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):260608
                        Entropy (8bit):7.652499110697016
                        Encrypted:false
                        SSDEEP:6144:OLgZp3eGlldw8s7HML7J4Jvclk32Yl4PO+Q0d:Okv3eGlldwxsLV5m24H8
                        MD5:F33876431126C9CA2931B77817950D66
                        SHA1:E969A4F96D7EB99F72DB8C7DA25F04B6D1B7686A
                        SHA-256:E5E52855CC219F1F072937C8C71F1F3C5CEE81E45FA3AA1DADB7254A11CC3B61
                        SHA-512:4AE61257845730E212FFEE15DF7E92A4D94A5EF28568E6FE57086BF10510F48022BD766D01E9CB94B4E69ED34C1B5B7BD6D2C2E316790D0542078C6BD6EFECFA
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L.....d........../..........@......f!.......0....@..........................0......0.......................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):346112
                        Entropy (8bit):7.64040472657242
                        Encrypted:false
                        SSDEEP:6144:4Pb4nOcRHbDYGA+43ddTlzG5iLdSdJiL4FV6IROgZ5tnCFAv:4PbcOYok43d9lzSiL0d8AftnCFO
                        MD5:72A75640CDAEB284E98C52D422F90335
                        SHA1:3ED328117341B12247016AF5EF2EC5A37672D560
                        SHA-256:956F7956DFED7F3A12E18E1D0A394793F94EC1B78B67782A5E6E065AD3A6D996
                        SHA-512:6B1FFADA6C047D0A8FD00A49AAAC41C994B4D2912EE6CE825114238B8375F8779126EC1915F0566749E2AB572DAEE135374C329A04F80DA229B6502EB7A22AE9
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................b....6......6......6.....6.....................M..4......4......4........f....4.....Rich...........................PE..L.....{d.................&...`...............@....@.................................0,....@..................................r..,................................... O..p....................P.......O..@............@..4............................text....%.......&.................. ..`.rdata...@...@...B...*..............@..@.data................l..............@....rsrc................p..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................................................................

                        C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\ACE.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1623552
                        Entropy (8bit):7.315126547383422
                        Encrypted:false
                        SSDEEP:24576:q4hkNUCb2CCyX9WN2+hZ1QR25/5TS6oopooZzNpJXKSyPaoAQ4XuKDroI8mbX:q4hkNjgs9Wo+hZ1QwRTSszt6SdTPt
                        MD5:4542F1B887ED30F16EFD7C29043C8248
                        SHA1:33F59FF72EEC093790FB06004356398854B45EA1
                        SHA-256:AE4F3EFDE48A77ADD18802DD0E3F1397A9733BD086BB58CD8A234CD19BAA715A
                        SHA-512:59953AC9FD3D874F1C90A91E39BB37C725770CBCD4B4E07724BEADDF7472734C4B6ACD0E16C2B6C6E634B6881D7AF008B654DF481A4ED72E0987EB2F24CAF36C
                        Malicious:true
                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........'\.}t\.}t\.}tU..tH.}t..xuI.}t..yuP.}t..~uY.}t..|uX.}tH.yu^.}tH.{u].}tH.|uQ.}t\.|t.}t..yu_.}t..xu..}t..}u].}t..t].}t\..t].}t...u].}tRich\.}t........................PE..L....f.d...........!......................................................................@A................................D...h..................................@...T...............................@............................................text...\........................... ..`.rdata..............................@..@.data....&..........................@....rsrc...............................@..@.reloc... ..........................@..B................................................................................................................................................................................................................................................................

                        C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AGM.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):6838272
                        Entropy (8bit):6.999747610498683
                        Encrypted:false
                        SSDEEP:98304:9NvLzusYmuoUdwomHopAOjQMifbKgvhiWaOuBu3tBuzn0Pc1Ty:9NvmB3pdRmHopVsh1+0
                        MD5:0E04D84AD860F1B2B760544B3C9E1C99
                        SHA1:9B224F0C40061AD2590D074946859429B23D4FF7
                        SHA-256:6F9A437108FD7D546D6166B0B544031BFFB96698F011C24B139F778CDD8D8BA1
                        SHA-512:10756D55914A26761337347FC718368E2AD6345EF8C05224D68467ADB6E961388A047FF885DA1715DAEFFD93CF8DD340427A6796CF64264407D56EBFFF8A8B93
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R...........0.....^....]......]......]......]................k.._......_...w.._......_.\......4...._......Rich...........PE..L....u.d...........!......@..........|........@..............................Pk......uh...@A........................@<U.x....<U.h.....Z.@.....................Z.....P.L.T.....................L.......L.@.............@.....T9U......................text...z.@.......@................. ..`.rdata..$.....@.......@.............@..@.data...xN....U......^U.............@....didat..d.....Z.......W.............@....rsrc...@.....Z.......W.............@..@.reloc...`....Z..V....X.............@..B................................................................................................................................................................................................................................................

                        C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AIDE.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2603520
                        Entropy (8bit):6.9743595190597265
                        Encrypted:false
                        SSDEEP:49152:kVFKbVKkBBDjzpg5SNZGeJ+lQ4RT1x7t4b/YCF:kVMbVRG5SN0lF5qbAS
                        MD5:A0A5EBF341422B70604310D881A1AF10
                        SHA1:20A86FF87B396DA6B301FB88316B306F3B3A7713
                        SHA-256:2D7953689AA942B48A3D0FCCCF4993C359565461A8FAA17F360FABEAF53C684D
                        SHA-512:61FB771FB39C496CF243568662115B96C8E53888329C14A82DFDF45CCDCC771A6004A403E55839FB4C7E4FF9E4A0DFFBC4BA5E996472DB8F37A2BF6FCFD29CD8
                        Malicious:true
                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......mu.v)..%)..%)..% lQ%=..%Kl?%-..%Kl.$1..%Kl.$#..%Kl.$%..%Kl.$-..%)..%...%=..$...%=..$(..%.m.$>..%.m.$...%.m.$I..%.m.$(..%.m=%(..%).U%(..%.m.$(..%Rich)..%........................PE..L...h#.d...........!.........d.......y........................................(.......'...@A............................("...........`!......................p!.P...p...T...............................@...............P............................text...+........................... ..`.rdata..............................@..@.data...<i.......v..................@....rsrc........`!......N .............@..@.reloc...p...p!..d...V .............@..B........................................................................................................................................................................................................................................................

                        C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):5426688
                        Entropy (8bit):6.501062922451931
                        Encrypted:false
                        SSDEEP:49152:/BDljDjDjDjcbmI+GXbdCF/1eD6wuDVsZd1uCF3pzDjW7Cro4O8b8ITDnlogyJ1K:J2bmFUf1uDVsZrNjsx7tIj
                        MD5:95C558CEE7BAC6DF714905B87999FB45
                        SHA1:A39A33A5AE6A5110E3C4B76860B5E8812F0BB5A0
                        SHA-256:13C40865A68ED95A9FDF0C4933BEC41FF03AF2D9BBE2F63C9411DA2A627E2016
                        SHA-512:340A2CCB792C82FF4FB4EF1CD334264F28944613132461168030BDC273C1B075597B49DE6AE666D47DDF3C5F3D189C9E56289722DD6F981AC13F535EF6EFF0D2
                        Malicious:true
                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I.~.(g-.(g-.(g-.Cd,.(g-.Cb,i(g-.G.-.(g-b\c,.(g-b\d,.(g-.t.-.(g-.(g-C(g-b\b,.(g-.Cc,.(g-.Ca,.(g-.Cf,.(g-.(f-.+g-`\b,.(g-`\g,.(g-`\.-.(g-.(.-.(g-`\e,.(g-Rich.(g-........PE..L......d..........#......./..p......P"%.......0...@..........................pS.......S...@..........................@:......@:.......;..V...................@G.(e...^6.T...................._6.....h.5.@.............0...... :.`....................text...*./......./................. ..`.rdata..Ze....0..f....0.............@..@.data....E....:......h:.............@....didat........;......B;.............@....rsrc....V....;..X...H;.............@..@.reloc...0...@G.......F.............@..B........................................................................................................................................................................................................................

                        C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat32OL.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):455680
                        Entropy (8bit):7.515461781505977
                        Encrypted:false
                        SSDEEP:12288:vT7y+Js09kT6D3BbA+5ciiyMtrkC1B7hLr64WM2CVhk5:vT7y+JZk2ZbcwMtZ1Zh36W2s
                        MD5:0FB551C547E9746FE1BDFF34C5FE50BE
                        SHA1:16EF639692875B6E5E77BBC96AD94B06AF1522CB
                        SHA-256:B37AC3CC1490D1150E636A7D138EBCBD9B7D3DACA81B9377F759FD70592F58EB
                        SHA-512:488315C1737CB2F1C42F5C8B04F554791C10D4D3ACDCD2FE5406B4C7A18261E3981644B30363BC8EBE30671781BF4814C1F9585BC8C1E019B9ADE9322CDBF00B
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........L..ZL..ZL..ZE.WZX..Z...[H..Z}.9ZN..ZX..[E..Z...[T..Z...[G..Z...[E..ZX..[m..ZL..Z..Z...[w..Z...[Y..Z...[M..Z...[M..ZRichL..Z........PE..L.....d..........#!...............................`.........................@......H!....@A................................8...|...............................x,...>..T...................@?......h>..@............................................text............................... ..`.rdata.............................@..@.data...<K......."..................@....reloc...0.......,..................@..B........................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIB.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):344576
                        Entropy (8bit):7.6067702318833454
                        Encrypted:false
                        SSDEEP:6144:kMKKyVAdclwXSGvRoVEu7ATmW5MmHQbrUFD5bBM5nx3czKRW3TDdZTIS:Kj+SBBsTbwMFDPMlxs2Rit
                        MD5:25433AD300DE4A3BEF9E7F190295780A
                        SHA1:25968F6A88B19E6D8400F4B2539A8F1B94C8ACD3
                        SHA-256:6EBA21C4FCCA7B4CFCF2564B1E9164925B523B8E270740D31F6B22209B2B2CE7
                        SHA-512:1B594846C78DD4CD32E2BE98730F8A519C1499D2F86D1CC32B2864F3844C922B862C657CBDE9FFC308274A970CB606C7407155F10E3A82C13796C8F536A036D4
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........g................d......d......d......d..................f......f......f............f......Rich....................PE..L......d...........!......................... ...............................p............@A............................l...l...........@.......................d...$E..T...........................xE..@............ ..L............................text............................... ..`.rdata...y... ...z..................@..@.data...............................@....rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                        C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIBUtils.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):417792
                        Entropy (8bit):7.544399578609294
                        Encrypted:false
                        SSDEEP:6144:bzdZbp7W/SsnCnAKsz0QKTnuweIChp3YYPE8h4W8EPuXXadfKbwmEuxhPTunB:bjpm2AvMLypIYoqkXadVmjh6
                        MD5:A22CDB2270EBC1A3F14FEB29216582B4
                        SHA1:2BF6B0FCB262E691C6422BDFEF15F4BE2DF101B1
                        SHA-256:A23129EDAA9A966FF2DF8D9F3BF1E0F18CFB40FE0E053D332667B336D32E1122
                        SHA-512:0A8D8E27A14B808A23DD71C94EC19980CBFB93CF65EC84CEC672CA47778E01A6B57C557B54D823705453EA96330330B3A5CA4A68E4FEF05C289F1ACD485B394B
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... jgdA.4dA.4dA.4m9.4jA.4.5.5fA.4.5.5tA.4.5.5nA.4.5.5gA.4p*.5gA.4dA.41A.4.5.5oA.4.5.5eA.4.5.4eA.4dA.4eA.4.5.5eA.4RichdA.4........................PE..L...b..d...........!................Po..............................................l.....@A.........................E......<F.......p..x.......................@/..D...T...............................@............................................text............................... ..`.rdata..V...........................@..@.data........P.......<..............@....rsrc...x....p.......H..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):737280
                        Entropy (8bit):5.9459605711162435
                        Encrypted:false
                        SSDEEP:6144:lzBTgIVb0cJIH532l6wNVm5aK0eu/TJ1NsBP6EZ5+Tp4lQ2wQHpGBiH8hdvcw:lpb0cJIEEf0eu/N1s6okTqHHpGM8nc
                        MD5:56AE490FED7FAF998F1DD3F6D00A190D
                        SHA1:C1D4E7E302C578AD547835294CFE08B8A9AC6FD5
                        SHA-256:0A326708F71DC4C244FBD0F58E5AC129223F031D031ED07ADFA72F5AD43D5EB1
                        SHA-512:80EDDBB305962D2D398065FFF47F37EE52ABE994C336E0BF05160FD43543FCFBB767C38127A4C539B66E3A468E57CEE16862A15D6A220DE8715654A3A698BAC1
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................h...?.......?.......?.......................I...=.......=.......=.......=.{.............=.......Rich............PE..L..._P.d...........!.........................................................p.......g....@A.........................w......Lx................................... ...Q..T...................@S......PR..@............................................text............................... ..`.rdata..............................@..@.data...."...........|..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                        C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1121792
                        Entropy (8bit):6.5085542694272815
                        Encrypted:false
                        SSDEEP:24576:0WrEIb5N9WPltf43Bh43dol+eryK+0kEAyJBq:D4YWPlVafiOlyKfkFyvq
                        MD5:5C39F73CB3ABE19CE5B46E8DACD21C76
                        SHA1:A32967BFA0B2AD3F331A2342726C2924FE276010
                        SHA-256:24B086AD1720CC88A272143A3A99D4E2658920FD1F4B994A607710ACC069A4DB
                        SHA-512:0ECB3D9CFD59C0ACA3B334FBD774B49630C3C6F4BC43C7ED01AB36DA4FDE1F6F6837F2962B0434043B1AF15FE18C2B4660DC8AA0812593646A62FFBDD51E6649
                        Malicious:true
                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........d#...M...M...M..}...M.3qI...M.3qN...M.3qH...M.3qL...M..nI...M..nK...M..nL...M...L...M.1qI...M.1qH...M.1qM...M.1q....M......M.1qO...M.Rich..M.........................PE..L.....d..........#!......................... .....n......................................@A................................X...0....`.......................`..<v......T...............................@............ ..|............................text............................... ..`.orpc............................... ..`.rdata....... ......................@..@.data...ph.......*..................@....rsrc........`......................@..@.reloc...@...`...6..................@..B........................................................................................................................................................................................................................

                        C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2810880
                        Entropy (8bit):7.976099835066638
                        Encrypted:false
                        SSDEEP:49152:iKiC/rk62xWNol+5gOsLO66qJ6021cJjLtk4pWGNG5VGFPNqJyoTh69VN2kKej:LrZ23AbsK6Ro022JjL2WEiVqJZgdm
                        MD5:7F4454669FAEC8AF79C78BAF1115616A
                        SHA1:1775A6322E4777BAB0E758BBFE004AFDD86FDC3E
                        SHA-256:ECFA0E54FD2E57762A240FCD1565880DB0EC19D5C7395188E0EF4AA864148685
                        SHA-512:00894F5784DAF6C5D902012DFC544894EE2DB97236E7450921E12445B666A07176733C01CD5B77333C5F3169D7D2310C660C2D17F59E8813EFFB0D23043290CC
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5{.!q..rq..rq..rq..r...rQc.r`..rQc.r`..rQc.rp..rQc.rp..rRichq..r........................PE..L......A.................~... .......^... ........... ....................... ,......X+.......... .....................................0............................!............................................... ...............................text....|... ...~.................. ..`.data...............................@....rsrc....`*......`*.................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1823744
                        Entropy (8bit):7.126823607927202
                        Encrypted:false
                        SSDEEP:49152:cY+YaGRaY0F6GIA4JP5YBc+qH5hTMnUMd:d+Yd74630d
                        MD5:2DEA3B3810E19F2F686B7E2015F45B5C
                        SHA1:468F2422556F366CAB925275C0077D351D7E5286
                        SHA-256:F6224260A0DF80C2D890D75116F4EFBFBCBB804EC9A30A8BDD99AC317D779606
                        SHA-512:27294A2F4001558585B7C6F558BFA1FA699012C161A7D611E3640EC4C2DB092361DAD0492F31618AD22388639781FB1A9C62E9AA14933C016A659DE35AEF36CE
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................#.............#.......#...*...#.......#.......#.......#.p.....#.......Rich............................PE..L...2..............!.........P...............................................`.......W....@A.................................`.......p..@............................6..T...................0...........@............................................text............................... ..`.data...............................@....idata...!......."..................@..@.mrdata...... ......................@....detourd.....0......................@....detourc.....@......................@..@.c2r.........`...........................rsrc...@....p......................@..@.reloc..............................@..B................................................................................................................................................

                        C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):285184
                        Entropy (8bit):7.659195452211447
                        Encrypted:false
                        SSDEEP:6144:NXaPbeUjD5laX2lLpS+SykEsvAfcAS6HCGiQz98AAQMlHlvxSW:NX3UjD5laX2a7ZAkAS63iQxJ1MlHZx
                        MD5:87D9096948F4629BE68A6600BD915D21
                        SHA1:E29A0C8DCED9E377ACB371F0F382ACDF092DA170
                        SHA-256:AD571854EFF2B9F4044297ECC1071867D1EFEB0FA27C78AAACF968F2250E241D
                        SHA-512:98B2CF4AD13CC1C44390CC5CFB7586814C154643446830F4C33F51C7CC530AD2ABA2E354880C3CA07B33AFBAC81392E2988BC14C3E66E6D1DF08CBF2111943B9
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...KB.`.................h...........4............@.......................................@..............................................r...........................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...@...`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\Mozilla Firefox\uninstall\helper.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):306688
                        Entropy (8bit):7.658543723440289
                        Encrypted:false
                        SSDEEP:6144:2GZTPLUjD5hZ3DkxRF4LCEVhUbw2njRSUxqs92T4JFeteGr3RnR:2GdUjD5hZMAGba1ssT4jaecnR
                        MD5:A3D65A2874230EAD89B987555157C84A
                        SHA1:A4B45245C40ED3A40BF4135EBE305E57ECF9A780
                        SHA-256:874B070ABC2CD16CF90E30875EF2E0F6F1D6D43193D2939622FF1E77B83C918A
                        SHA-512:BD6B3FA33EB40346BAAA7DFA4196537868C505B5B66712243AE228A95681D54E89D004C39BD50ED8C5D763E0F807F50DD657514D1C9276992A49B38604CDB7B7
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L....!.`.................h...........4............@..........................P............@.......................................... ...p...........................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata.......`...........................rsrc....0... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):5471232
                        Entropy (8bit):6.998899410439645
                        Encrypted:false
                        SSDEEP:98304:/HZhXJuKy5N299nHoS3bEPCW1STHLmqDYzcprnv4Fd:RhXJuK4NPoNW1S/jYkS
                        MD5:EC313942A7CAA341F2150D40DA2347C0
                        SHA1:4B98040ACDBAD526496CAB21D1600D2B77E9B62E
                        SHA-256:B052FB9BECCBAB935A8EBC21F1BA3FBDB2009C8D50E51AA8CA8FC7782993634C
                        SHA-512:BDDEF43AE24766F8870992F46432329A0FFC9ECD03B246D3EED6F86E10F65675F5F7085783BCA40E622A3AC84D72F282935CDFB17A4F755D999EBA1A30EA46BD
                        Malicious:true
                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:V@.[8..[8..[8.{);..[8.{)=..[8..!<..[8..!;..[8..!=..[8.\.U..[8.\.E..[8.{)<..[8.{)>..[8.{)9..[8..[9..X8..!=..[8..!1.0^8..!...[8..[...[8..!:..[8.Rich.[8.................PE..L...P..e..........#.... ..*..Z........%......`+...@...........................S.......T...@..................................=......p?.......................?.....<.=.8...................P.:..... .+.@.............+......j=......................text.....*.......*................. ..`.rdata........+.......*.............@..@.data.........=.......=.............@....rsrc........p?......F?.............@..@.reloc...0....?..*...R?.............@..B................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetours.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):352768
                        Entropy (8bit):7.63231517422192
                        Encrypted:false
                        SSDEEP:6144:nyXLcHG823lrLAguKIOO8xJnYsGROVTGY53ts0f1/Iedi7jMdkX5PK9dXm6MwNym:ny7cm9RIOO8xJn5G2TdpFf1JijM2JMeh
                        MD5:B987BF8A605C75ABEE4EC1E17D17EC41
                        SHA1:796439BC066D7B5802223ACBEE3687878CC7B2C1
                        SHA-256:FD547C2FABB044192CD68090580C401BF3E26577A559FBD85ABDCE673B071F84
                        SHA-512:E9CDC3AE6D6F136FA3CB374F750E80BA0C8668D7C53239884C8E09918B2FEBB15CAAFC2DF0A61E78C9F3D5F47349FA0FCFE9CDE895F0B11089F38D5329C05391
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k_.T/>i./>i./>i.|Ah.?>i.|Aj.%>i.|Am.?>i.&F.. >i./>h..?i.|Al.0>i.|Ai..>i.|A`.b>i.|A...>i.|Ak..>i.Rich/>i.................PE..L...^..............!...$.f...\.......$...................................................@A........................@r......x...........0.......................T....)..p........................... ...................p............................text...Rd.......f.................. ..`.data................j..............@....idata..t............t..............@..@.detourcH...........................@..@.detourd............................@....rsrc...0...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):270848
                        Entropy (8bit):7.727007419977574
                        Encrypted:false
                        SSDEEP:6144:ThrrtJTEeD3qzZkOP2ch0gJ4LU0GnvbRF8i4rl:TLJEK3AZkOPMYYGvbR
                        MD5:AC0DB26CFA314025826FFD91F0D36A0D
                        SHA1:05E90E706B6C6ECC5DBF583B1F25E449F86BE01B
                        SHA-256:84E3A6B2AB1BBF1193189F5CF78EE22ECE9286AA6B49D2872BC957831E36497B
                        SHA-512:D6B1663DCA423EAFDC656E2291926CCD61170DBFAF741A46EEFBCD272E2AC45F5525F265A6AF1F1850B24BC616394DB760394DDD5C22C046E4D58C3AAF6D419C
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.as{.. {.. {.. (..!q.. (..!q.. (..!k.. r. t.. {.. b.. (..!].. (..!z.. (..!;.. (.. z.. (..!z.. Rich{.. ................PE..L..................!...$.....B......pm.......................................p......+J....@A............................E...x.......................................(...p...................H...........................p............................text...E........................... ..`.data...............................@....idata..............................@..@.detourcH...........................@..@.detourd............................@....rsrc...............................@..@.reloc...`.......T..................@..B................................................................................................................................................................................................................................

                        C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):791552
                        Entropy (8bit):7.426087788762161
                        Encrypted:false
                        SSDEEP:24576:WoNuSp+qiSkAYN/koUfkVuyRv/4xZmh/kS+:Gqi/F6U8xZmhg
                        MD5:DFAB7E8CADA82AE7A65F2E46EB0A12FE
                        SHA1:91014CD60D3C663F98A3D074192F95FF47CFBA28
                        SHA-256:E83D8F6A1B373AF6EE8303A44EE85912B81CEAA09FF64CF36209241C9F1E1DF6
                        SHA-512:113FE71E161189EADAF517F6BB5775AA46EDE83C1959210301695AA95B3266C620121EE70139BD1FA3291373D8E7B95FE54A5EEAE316740E7F3EB97F847ED21F
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p.......c....@..............................................;...................0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...@...0...@..................@..B........................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\393A.tmp

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):148480
                        Entropy (8bit):7.821341850557137
                        Encrypted:false
                        SSDEEP:3072:V2V6THkukqCStAK0GfqUeQwIReaOIZEKbQy3416w3JxxP:VDHzunLajE4QyhEt
                        MD5:C610E7CCD6859872C585B2A85D7DC992
                        SHA1:362B3D4B72E3ADD687C209C79B500B7C6A246D46
                        SHA-256:14063FC61DC71B9881D75E93A587C27A6DAF8779FF5255A24A042BEACE541041
                        SHA-512:8570AAD2AE8B5DCBA00FC5EBF3DC0EA117E96CC88A83FEBD820C5811BF617A6431C1367B3EB88332F43F80B30EBE2C298C22DCC44860A075F7B41BF350236666
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P6?.1Xl.1Xl.1Xl1F.l.1Xl.1Yl.1Xl.>.l.1Xl..l.1Xl..l.1XlRich.1Xl................PE..L.....d.................p.......... B............@..........................p............@.................................4...<............................`.......................................................................................text....n.......p.................. ..`.rdata...............t..............@..@.data................z..............@....reloc.......`.......@..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\wctFE34.tmp

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\393A.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):42844672
                        Entropy (8bit):7.947586210173337
                        Encrypted:false
                        SSDEEP:786432:8b+N2qYDxVRrMPJy7LVV4NDDmdrZy9wOtg5gGOdjtjSNu4GIluUNj56I59l5:8iNDWxDMPnN+dk65gGUjku4vNjLjl5
                        MD5:1DF0EE2F339076DC3DB71893CE8C181D
                        SHA1:3CC1E2BF126AF47FB4BDCEEEC5005C7BA32C910A
                        SHA-256:7806D129A14ABE446756EEADFA7FA9F5517F72979386248FEAAEA924AE106C49
                        SHA-512:E1CABF112366BD73B09DABD0BA08851F5BAE38D4F1982A71CA301319179064CC177035E92A364A82659812B674BAF75B18DD4FBFDD27391796FD5541670A8A52
                        Malicious:true
                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......8q..|..|..|...b.n...b.....e.o...e.`...e.....y.u...y.G...b.~...b.Z...e.k...b.O..|..!...e.....e.}...e1.}...e.}..Rich|..........PE..L....I............#.......*..dX.....0A........*...@..........................0............@.........................`k5..v..h.5...... 8.8NI..................p...=....1.p.....................1......o0.@.............*......j5.`....................text.....*.......*................. ..`.rdata...%....*..&....*.............@..@.data........ 6.......6.............@....didat..$.....8.......7.............@....rsrc...8NI.. 8..PI...7.............@..@.reloc.......p......................@..B................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):6.23989998882089
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
                        File size:463'872 bytes
                        MD5:91222ab87d00d9ebff53a1b275760a49
                        SHA1:3870e1c16c22984f21f113794666ed6b9bb1b0dd
                        SHA256:e4221b52d7918432b4d0f2a520d46a2bc4594beb2d67c53c60038f05fefa0f59
                        SHA512:c78be464d923ada0c7ddd4385f15379122c0583b49363e51e06fffe3184da96c281cf86c68469739db88c79dd0276399e076780cc8d76ce75c995445826b4731
                        SSDEEP:6144:6LJyeGtp4QLYJ7v7LFCSBWc2GyL8yZ2VvMzAVDEHtCZ3iKGIOrEe5qn2s8:Q8eGtLL27D5VWcLm9Z2DVW4Q9EnE
                        TLSH:04A48B17BE408031F0B20E786A90E2AC5B267C58D5934F87B5926ECFFBF55E18E21671
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Z...Z...Z.....(.S.....*. .....+.B.......K.......x.......K.....6._...Z..........._.....&.[.......[...RichZ..................

                        File Icon

                        Icon Hash:1fa1b0b4b4b0701f

                        Static PE Info

                        General

                        Entrypoint:0x4019d9
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Time Stamp:0x55BA71B2 [Thu Jul 30 18:49:22 2015 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:cf63b81dd7450773fe5d34299f963c66

                        Entrypoint Preview

                        Instruction
                        call 00007FC770EA066Bh
                        jmp 00007FC770E9CB95h
                        cmp ecx, dword ptr [0040F010h]
                        jne 00007FC770E9D36Dh
                        ret
                        push 0040231Bh
                        push dword ptr fs:[00000000h]
                        mov eax, dword ptr [esp+10h]
                        mov dword ptr [esp+10h], ebp
                        lea ebp, dword ptr [esp+10h]
                        sub esp, eax
                        push ebx
                        push esi
                        push edi
                        mov eax, dword ptr [0040F010h]
                        xor dword ptr [ebp-04h], eax
                        xor eax, ebp
                        push eax
                        mov dword ptr [ebp-18h], esp
                        push dword ptr [ebp-08h]
                        mov eax, dword ptr [ebp-04h]
                        mov dword ptr [ebp-04h], FFFFFFFEh
                        mov dword ptr [ebp-08h], eax
                        lea eax, dword ptr [ebp-10h]
                        mov dword ptr fs:[00000000h], eax
                        ret
                        mov ecx, dword ptr [ebp-10h]
                        mov dword ptr fs:[00000000h], ecx
                        pop ecx
                        pop edi
                        pop edi
                        pop esi
                        pop ebx
                        mov esp, ebp
                        pop ebp
                        push ecx
                        ret
                        push 0040231Bh
                        push dword ptr fs:[00000000h]
                        mov eax, dword ptr [esp+10h]
                        mov dword ptr [esp+10h], ebp
                        lea ebp, dword ptr [esp+10h]
                        sub esp, eax
                        push ebx
                        push esi
                        push edi
                        mov eax, dword ptr [0040F010h]
                        xor dword ptr [ebp-04h], eax
                        xor eax, ebp
                        mov dword ptr [ebp-1Ch], eax
                        push eax
                        mov dword ptr [ebp-18h], esp
                        push dword ptr [ebp-08h]
                        mov eax, dword ptr [ebp-04h]
                        mov dword ptr [ebp-04h], FFFFFFFEh
                        mov dword ptr [ebp-08h], eax
                        lea eax, dword ptr [ebp-10h]
                        mov dword ptr fs:[00000000h], eax
                        ret
                        mov ecx, dword ptr [ebp-1Ch]
                        xor ecx, ebp
                        call 00007FC770E9CC58h

                        Rich Headers

                        Programming Language:
                        • [C++] VS2015 build 23026
                        • [RES] VS2015 build 23026
                        • [LNK] VS2015 build 23026

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xe0940x28.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x29058.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3b0000xcd0.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x9b840x54.text
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xd7d80x40.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0xa0000x128.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xe02c0x40.rdata
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x8cf40x8e00e6dc4eade122d0e9931c07808878eb5aFalse0.5936949823943662data6.506638638429146IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0xa0000x473e0x4800828f80ab6adeb19b13a85b93fb4b3356False0.3957248263888889data4.534224874648729IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0xf0000x11bc0x80029d461d754dda62d47d69172e15dfd08False0.177734375OpenPGP Secret Key2.1300340356195653IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x110000x290580x29200829ecbf6c27885b3506e19d453f6dd42False0.06111678381458967data2.0607615654464437IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x3b0000x3a0000x3a0005064913766d7c0b0291991699e2aabb0False0.8860663052262931data7.775071760666916IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0x11fb00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23521505376344087
                        RT_ICON0x122980x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                        RT_ICON0x123c00x2ca8Device independent bitmap graphic, 96 x 192 x 8, image size 9216, 256 important colorsEnglishUnited States0.048547935619314204
                        RT_ICON0x150680x1bc8Device independent bitmap graphic, 72 x 144 x 8, image size 5184, 256 important colorsEnglishUnited States0.06285151856017998
                        RT_ICON0x16c300x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.06770098730606489
                        RT_ICON0x182580x1418Device independent bitmap graphic, 60 x 120 x 8, image size 3600, 256 important colorsEnglishUnited States0.07231726283048212
                        RT_ICON0x196700xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.08049040511727079
                        RT_ICON0x1a5180xba8Device independent bitmap graphic, 40 x 80 x 8, image size 1600, 256 important colorsEnglishUnited States0.09517426273458444
                        RT_ICON0x1b0c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10063176895306859
                        RT_ICON0x1b9680x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.11981566820276497
                        RT_ICON0x1c0300x608Device independent bitmap graphic, 20 x 40 x 8, image size 400, 256 important colorsEnglishUnited States0.15414507772020725
                        RT_ICON0x1c6380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10476878612716763
                        RT_ICON0x1cba00x86ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.840129749768304
                        RT_ICON0x1d4100x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.025882909396678578
                        RT_ICON0x268b80x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.029621072088724585
                        RT_ICON0x2bd400x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.03288852149267832
                        RT_ICON0x2ff680x3a48Device independent bitmap graphic, 60 x 120 x 32, image size 14880EnglishUnited States0.037265415549597856
                        RT_ICON0x339b00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.04128630705394191
                        RT_ICON0x35f580x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 6720EnglishUnited States0.052366863905325446
                        RT_ICON0x379c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.06074108818011257
                        RT_ICON0x38a680x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.09631147540983606
                        RT_ICON0x393f00x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.12151162790697674
                        RT_ICON0x39aa80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.12854609929078015
                        RT_GROUP_ICON0x39f100x148dataEnglishUnited States0.5792682926829268
                        RT_VERSION0x115700x454dataEnglishUnited States0.37906137184115524
                        RT_MANIFEST0x119c80x5e5XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.44002650762094103

                        Imports

                        DLLImport
                        kernel32.dllGetLastError, SetLastError, GetModuleFileNameW, GetModuleHandleA, OutputDebugStringA, GetProcAddress, LoadLibraryW, FormatMessageW, VerifyVersionInfoW, GetModuleHandleW, VerSetConditionMask, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetCurrentProcess, TerminateProcess, RaiseException, RtlUnwind, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapSize, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetProcessHeap, CloseHandle, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, CreateFileW, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        No network behavior found

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:19:31:19
                        Start date:22/05/2024
                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe"
                        Imagebase:0x400000
                        File size:463'872 bytes
                        MD5 hash:91222AB87D00D9EBFF53A1B275760A49
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:1
                        Start time:19:31:19
                        Start date:22/05/2024
                        Path:C:\Users\user\AppData\Local\Temp\393A.tmp
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Local\Temp\393A.tmp
                        Imagebase:0x510000
                        File size:148'480 bytes
                        MD5 hash:C610E7CCD6859872C585B2A85D7DC992
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:3.9%
                          Dynamic/Decrypted Code Coverage:2.4%
                          Signature Coverage:3.6%
                          Total number of Nodes:1643
                          Total number of Limit Nodes:34
                          execution_graph 9929 402f80 9930 402fab 9929->9930 9931 402f8f 9929->9931 9932 405274 51 API calls 9930->9932 9931->9930 9933 402f95 9931->9933 9934 402fb2 GetModuleFileNameA 9932->9934 9935 4043fd _free 20 API calls 9933->9935 9936 402fd6 9934->9936 9937 402f9a 9935->9937 9952 4030a4 9936->9952 9938 404341 _abort 26 API calls 9937->9938 9940 402fa4 9938->9940 9942 403219 20 API calls 9943 403000 9942->9943 9944 403015 9943->9944 9945 403009 9943->9945 9947 4030a4 38 API calls 9944->9947 9946 4043fd _free 20 API calls 9945->9946 9951 40300e 9946->9951 9948 40302b 9947->9948 9950 403f69 _free 20 API calls 9948->9950 9948->9951 9949 403f69 _free 20 API calls 9949->9940 9950->9951 9951->9949 9954 4030c9 9952->9954 9953 4055ff 38 API calls 9953->9954 9954->9953 9956 403129 9954->9956 9955 402ff3 9955->9942 9956->9955 9957 4055ff 38 API calls 9956->9957 9957->9956 9241 401543 GetModuleHandleW 9339 408d03 IsProcessorFeaturePresent 9340 404904 9341 404914 9340->9341 9350 40492a 9340->9350 9342 4043fd _free 20 API calls 9341->9342 9343 404919 9342->9343 9345 404341 _abort 26 API calls 9343->9345 9346 404923 9345->9346 9347 404994 9347->9347 9370 403219 9347->9370 9349 404a02 9351 403f69 _free 20 API calls 9349->9351 9350->9347 9353 404a75 9350->9353 9359 404a94 9350->9359 9351->9353 9352 4049f9 9352->9349 9356 404a87 9352->9356 9376 40799f 9352->9376 9385 404cae 9353->9385 9357 404351 _abort 11 API calls 9356->9357 9358 404a93 9357->9358 9360 404aa0 9359->9360 9360->9360 9361 404034 _free 20 API calls 9360->9361 9362 404ace 9361->9362 9363 40799f 26 API calls 9362->9363 9364 404afa 9363->9364 9365 404351 _abort 11 API calls 9364->9365 9366 404b29 ___scrt_get_show_window_mode 9365->9366 9367 404bca FindFirstFileExA 9366->9367 9368 404c19 9367->9368 9369 404a94 26 API calls 9368->9369 9371 40322a 9370->9371 9372 40322e 9370->9372 9371->9352 9372->9371 9373 404034 _free 20 API calls 9372->9373 9374 40325c 9373->9374 9375 403f69 _free 20 API calls 9374->9375 9375->9371 9379 4078ee 9376->9379 9377 407903 9378 407908 9377->9378 9380 4043fd _free 20 API calls 9377->9380 9378->9352 9379->9377 9379->9378 9383 40793f 9379->9383 9381 40792e 9380->9381 9382 404341 _abort 26 API calls 9381->9382 9382->9378 9383->9378 9384 4043fd _free 20 API calls 9383->9384 9384->9381 9386 404cb8 9385->9386 9387 404cc8 9386->9387 9388 403f69 _free 20 API calls 9386->9388 9389 403f69 _free 20 API calls 9387->9389 9388->9386 9390 404ccf 9389->9390 9390->9346 9958 403685 9959 403ed3 38 API calls 9958->9959 9960 40368d 9959->9960 9212 581710 9213 581721 9212->9213 9221 5823a0 9213->9221 9215 58172e 9216 581858 VirtualProtect 9215->9216 9218 5818a7 9216->9218 9217 5819a0 VirtualProtect 9217->9218 9218->9217 9220 5819f5 9218->9220 9219 581b84 CreateThread 9225 581bc0 9219->9225 9220->9219 9224 582380 GetPEB 9221->9224 9223 5823b2 9223->9215 9224->9223 9226 581bd4 9225->9226 9227 5823a0 GetPEB 9226->9227 9228 581be1 9227->9228 9229 581df2 9228->9229 9230 581d1e GetTempPathA GetTempFileNameA CreateFileA 9228->9230 9232 581d8c FindCloseChangeNotification 9228->9232 9233 581db1 CreateProcessA 9228->9233 9230->9228 9231 581d64 WriteFile 9230->9231 9231->9228 9232->9228 9233->9228 9961 404688 9962 404693 9961->9962 9963 4046a3 9961->9963 9967 4046a9 9962->9967 9966 403f69 _free 20 API calls 9966->9963 9968 4046c2 9967->9968 9969 4046bc 9967->9969 9971 403f69 _free 20 API calls 9968->9971 9970 403f69 _free 20 API calls 9969->9970 9970->9968 9972 4046ce 9971->9972 9973 403f69 _free 20 API calls 9972->9973 9974 4046d9 9973->9974 9975 403f69 _free 20 API calls 9974->9975 9976 4046e4 9975->9976 9977 403f69 _free 20 API calls 9976->9977 9978 4046ef 9977->9978 9979 403f69 _free 20 API calls 9978->9979 9980 4046fa 9979->9980 9981 403f69 _free 20 API calls 9980->9981 9982 404705 9981->9982 9983 403f69 _free 20 API calls 9982->9983 9984 404710 9983->9984 9985 403f69 _free 20 API calls 9984->9985 9986 40471b 9985->9986 9987 403f69 _free 20 API calls 9986->9987 9988 404729 9987->9988 9993 40456f 9988->9993 9999 40447b 9993->9999 9995 404593 9996 4045bf 9995->9996 10012 4044dc 9996->10012 9998 4045e3 9998->9966 10000 404487 _abort 9999->10000 10007 40572b EnterCriticalSection 10000->10007 10003 404491 10005 403f69 _free 20 API calls 10003->10005 10006 4044bb 10003->10006 10004 4044c8 _abort 10004->9995 10005->10006 10008 4044d0 10006->10008 10007->10003 10011 405773 LeaveCriticalSection 10008->10011 10010 4044da 10010->10004 10011->10010 10013 4044e8 _abort 10012->10013 10020 40572b EnterCriticalSection 10013->10020 10015 4044f2 10016 404752 _free 20 API calls 10015->10016 10017 404505 10016->10017 10021 40451b 10017->10021 10019 404513 _abort 10019->9998 10020->10015 10024 405773 LeaveCriticalSection 10021->10024 10023 404525 10023->10019 10024->10023 10025 403d8b 10028 403448 10025->10028 10037 4033d2 10028->10037 10031 4033d2 5 API calls 10032 403466 10031->10032 10033 4033a3 20 API calls 10032->10033 10034 403471 10033->10034 10035 4033a3 20 API calls 10034->10035 10036 40347c 10035->10036 10040 4033eb 10037->10040 10038 4019e3 DloadLock 5 API calls 10039 40340c 10038->10039 10039->10031 10040->10038 9242 40154d GetModuleHandleA 10041 407a8d 10042 405274 51 API calls 10041->10042 10043 407a92 10042->10043 9391 404410 GetProcessHeap 9832 5874c8 9833 5874d9 9832->9833 9834 588158 GetPEB 9833->9834 9835 5874e6 9834->9835 9836 403dd0 9837 40277e ___scrt_uninitialize_crt 8 API calls 9836->9837 9838 403dd7 9837->9838 9243 401851 9248 401f6d SetUnhandledExceptionFilter 9243->9248 9245 401856 9249 403921 9245->9249 9247 401861 9248->9245 9250 403947 9249->9250 9251 40392d 9249->9251 9250->9247 9251->9250 9252 4043fd _free 20 API calls 9251->9252 9253 403937 9252->9253 9254 404341 _abort 26 API calls 9253->9254 9255 403942 9254->9255 9255->9247 9392 403412 9393 403424 9392->9393 9395 40342a 9392->9395 9396 4033a3 9393->9396 9397 4033b0 9396->9397 9398 4033cd 9396->9398 9399 4033c7 9397->9399 9400 403f69 _free 20 API calls 9397->9400 9398->9395 9401 403f69 _free 20 API calls 9399->9401 9400->9397 9401->9398 9402 58170b 9403 581710 9402->9403 9404 5823a0 GetPEB 9403->9404 9405 58172e 9404->9405 9406 581858 VirtualProtect 9405->9406 9408 5818a7 9406->9408 9407 5819a0 VirtualProtect 9407->9408 9408->9407 9409 5819f5 9408->9409 9410 581b84 CreateThread 9409->9410 9411 581bc0 7 API calls 9410->9411 9839 404cd3 9844 404d08 9839->9844 9842 403f69 _free 20 API calls 9843 404cef 9842->9843 9845 404d1a 9844->9845 9848 404ce1 9844->9848 9846 404d1f 9845->9846 9847 404d4a 9845->9847 9849 404034 _free 20 API calls 9846->9849 9847->9848 9855 406816 9847->9855 9848->9842 9848->9843 9851 404d28 9849->9851 9853 403f69 _free 20 API calls 9851->9853 9852 404d65 9854 403f69 _free 20 API calls 9852->9854 9853->9848 9854->9848 9856 40681e 9855->9856 9857 406846 9856->9857 9858 406837 9856->9858 9859 406855 9857->9859 9864 402d9c 9857->9864 9860 4043fd _free 20 API calls 9858->9860 9871 404114 9859->9871 9863 40683c ___scrt_get_show_window_mode 9860->9863 9863->9852 9865 402da7 9864->9865 9866 402dbc HeapSize 9864->9866 9867 4043fd _free 20 API calls 9865->9867 9866->9859 9868 402dac 9867->9868 9869 404341 _abort 26 API calls 9868->9869 9870 402db7 9869->9870 9870->9859 9872 404121 9871->9872 9873 40412c 9871->9873 9875 403fa3 __onexit 21 API calls 9872->9875 9874 404134 9873->9874 9882 40413d _free 9873->9882 9876 403f69 _free 20 API calls 9874->9876 9879 404129 9875->9879 9876->9879 9877 404142 9880 4043fd _free 20 API calls 9877->9880 9878 404167 HeapReAlloc 9878->9879 9878->9882 9879->9863 9880->9879 9881 4069a0 _free 7 API calls 9881->9882 9882->9877 9882->9878 9882->9881 10044 401996 10047 402dcf 10044->10047 10048 404821 _free 20 API calls 10047->10048 10051 402de6 10048->10051 10049 4019e3 DloadLock 5 API calls 10050 4019a7 10049->10050 10051->10049 9412 405617 GetCommandLineA GetCommandLineW 9234 4019d9 9237 401d0e 9234->9237 9236 4019de 9236->9236 9238 401d31 9237->9238 9239 401d3e GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 9237->9239 9238->9239 9240 401d35 9238->9240 9239->9240 9240->9236 9413 406019 9414 406025 _abort 9413->9414 9425 40572b EnterCriticalSection 9414->9425 9416 40602c 9426 405cd4 9416->9426 9418 40603b 9419 40604a 9418->9419 9439 405ead GetStartupInfoW 9418->9439 9450 406066 9419->9450 9423 40605b _abort 9425->9416 9427 405ce0 _abort 9426->9427 9428 405d04 9427->9428 9429 405ced 9427->9429 9453 40572b EnterCriticalSection 9428->9453 9430 4043fd _free 20 API calls 9429->9430 9432 405cf2 9430->9432 9433 404341 _abort 26 API calls 9432->9433 9434 405cfc _abort 9433->9434 9434->9418 9435 405d3c 9461 405d63 9435->9461 9437 405d10 9437->9435 9454 405c25 9437->9454 9440 405eca 9439->9440 9441 405f5c 9439->9441 9440->9441 9442 405cd4 27 API calls 9440->9442 9445 405f63 9441->9445 9443 405ef3 9442->9443 9443->9441 9444 405f21 GetFileType 9443->9444 9444->9443 9449 405f6a 9445->9449 9446 405fad GetStdHandle 9446->9449 9447 406015 9447->9419 9448 405fc0 GetFileType 9448->9449 9449->9446 9449->9447 9449->9448 9465 405773 LeaveCriticalSection 9450->9465 9452 40606d 9452->9423 9453->9437 9455 404034 _free 20 API calls 9454->9455 9457 405c37 9455->9457 9456 405c44 9458 403f69 _free 20 API calls 9456->9458 9457->9456 9459 4059fc 11 API calls 9457->9459 9460 405c96 9458->9460 9459->9457 9460->9437 9464 405773 LeaveCriticalSection 9461->9464 9463 405d6a 9463->9434 9464->9463 9465->9452 9883 403dd9 9884 403dfc 9883->9884 9885 403de8 9883->9885 9886 403f69 _free 20 API calls 9884->9886 9885->9884 9888 403f69 _free 20 API calls 9885->9888 9887 403e0e 9886->9887 9889 403f69 _free 20 API calls 9887->9889 9888->9884 9890 403e21 9889->9890 9891 403f69 _free 20 API calls 9890->9891 9892 403e32 9891->9892 9893 403f69 _free 20 API calls 9892->9893 9894 403e43 9893->9894 9466 40231b 9477 4022e9 9466->9477 9478 402308 9477->9478 9479 4022fb 9477->9479 9480 4019e3 DloadLock 5 API calls 9479->9480 9480->9478 10052 40179b 10053 40179d 10052->10053 10056 40923e 10053->10056 10083 408f48 10056->10083 10058 409258 10059 4092b5 10058->10059 10069 4092d9 10058->10069 10093 4091bc 10059->10093 10062 4093c4 10068 409422 GetProcAddress 10062->10068 10082 40947d 10062->10082 10063 409351 LoadLibraryExA 10065 4093b2 10063->10065 10066 409364 GetLastError 10063->10066 10064 4019e3 DloadLock 5 API calls 10067 4017aa 10064->10067 10065->10062 10070 4093bd FreeLibrary 10065->10070 10071 40938d 10066->10071 10079 409377 10066->10079 10073 409432 GetLastError 10068->10073 10068->10082 10069->10062 10069->10063 10069->10065 10069->10082 10070->10062 10072 4091bc DloadReleaseSectionWriteAccess 11 API calls 10071->10072 10074 409398 RaiseException 10072->10074 10080 409445 10073->10080 10076 4094ae 10074->10076 10075 4091bc DloadReleaseSectionWriteAccess 11 API calls 10075->10076 10076->10064 10077 4091bc DloadReleaseSectionWriteAccess 11 API calls 10078 409466 RaiseException 10077->10078 10081 408f48 ___delayLoadHelper2@8 11 API calls 10078->10081 10079->10065 10079->10071 10080->10077 10080->10082 10081->10082 10082->10075 10084 408f54 10083->10084 10089 408f79 10083->10089 10101 408ffa 10084->10101 10089->10058 10111 408f7f 10089->10111 10090 4019e3 DloadLock 5 API calls 10091 40923a 10090->10091 10091->10058 10092 409209 10092->10090 10094 4091f0 RaiseException 10093->10094 10095 4091ce 10093->10095 10094->10076 10096 408ffa DloadLock 8 API calls 10095->10096 10097 4091d3 10096->10097 10098 4091eb 10097->10098 10099 40914c DloadProtectSection 3 API calls 10097->10099 10123 4091f4 10098->10123 10099->10098 10102 408f7f DloadLock 3 API calls 10101->10102 10103 40900f 10102->10103 10104 4019e3 DloadLock 5 API calls 10103->10104 10105 408f59 10104->10105 10105->10089 10106 40914c 10105->10106 10107 409161 DloadObtainSection 10106->10107 10108 40919c VirtualProtect 10107->10108 10109 409167 10107->10109 10119 409057 VirtualQuery 10107->10119 10108->10109 10109->10089 10112 408f90 10111->10112 10113 408f8c 10111->10113 10114 408f94 10112->10114 10115 408f98 GetModuleHandleW 10112->10115 10113->10092 10114->10092 10116 408fae GetProcAddress 10115->10116 10118 408faa 10115->10118 10117 408fbe GetProcAddress 10116->10117 10116->10118 10117->10118 10118->10092 10120 409072 10119->10120 10121 4090b5 10120->10121 10122 40907d GetSystemInfo 10120->10122 10121->10108 10122->10121 10124 408f7f DloadLock 3 API calls 10123->10124 10127 409209 10124->10127 10125 4019e3 DloadLock 5 API calls 10126 40923a 10125->10126 10126->10094 10127->10125 9256 40735f 9257 40736c 9256->9257 9258 404034 _free 20 API calls 9257->9258 9259 407386 9258->9259 9260 403f69 _free 20 API calls 9259->9260 9261 407392 9260->9261 9262 404034 _free 20 API calls 9261->9262 9266 4073b8 9261->9266 9263 4073ac 9262->9263 9265 403f69 _free 20 API calls 9263->9265 9265->9266 9267 4073c4 9266->9267 9268 4059fc 9266->9268 9269 40578a _free 5 API calls 9268->9269 9270 405a23 9269->9270 9271 405a41 InitializeCriticalSectionAndSpinCount 9270->9271 9272 405a2c 9270->9272 9271->9272 9273 4019e3 DloadLock 5 API calls 9272->9273 9274 405a58 9273->9274 9274->9266 9275 587978 9276 58798c 9275->9276 9279 588158 9276->9279 9278 587999 9282 588138 GetPEB 9279->9282 9281 58816a 9281->9278 9282->9281 9283 407561 9284 40759a 9283->9284 9285 40759e 9284->9285 9296 4075c6 9284->9296 9286 4043fd _free 20 API calls 9285->9286 9287 4075a3 9286->9287 9289 404341 _abort 26 API calls 9287->9289 9288 4078dd 9290 4019e3 DloadLock 5 API calls 9288->9290 9291 4075ae 9289->9291 9292 4078ea 9290->9292 9293 4019e3 DloadLock 5 API calls 9291->9293 9294 4075ba 9293->9294 9296->9288 9297 40749b 9296->9297 9298 4074b6 9297->9298 9299 4019e3 DloadLock 5 API calls 9298->9299 9300 407528 9299->9300 9300->9296 9481 404422 9482 404437 _abort 9481->9482 9489 40572b EnterCriticalSection 9482->9489 9484 404441 9485 404752 _free 20 API calls 9484->9485 9486 404459 9485->9486 9487 40446f _free LeaveCriticalSection 9486->9487 9488 404467 _abort 9487->9488 9489->9484 8294 401863 8295 40186f _abort 8294->8295 8324 401b1c 8295->8324 8297 401876 8299 40189f 8297->8299 8375 401e25 IsProcessorFeaturePresent 8297->8375 8307 4018de ___scrt_release_startup_lock 8299->8307 8379 40352e 8299->8379 8303 4018be _abort 8304 40193e 8335 4025f9 8304->8335 8307->8304 8387 4037d1 8307->8387 8319 401978 8321 401981 8319->8321 8393 4037ac 8319->8393 8396 401c96 8321->8396 8325 401b25 8324->8325 8402 40213b IsProcessorFeaturePresent 8325->8402 8329 401b36 8330 401b3a 8329->8330 8416 403e50 8329->8416 8330->8297 8333 401b51 8333->8297 8526 4025bf GetModuleFileNameW 8335->8526 8337 402683 8338 4019e3 DloadLock 5 API calls 8337->8338 8339 401945 8338->8339 8342 401f3a 8339->8342 8340 402621 8340->8337 8530 4011d7 8340->8530 8536 402475 8342->8536 8344 401f4d GetStartupInfoW 8345 40194b 8344->8345 8346 40347f 8345->8346 8538 405274 8346->8538 8348 401954 8351 401557 8348->8351 8350 403488 8350->8348 8542 4055ff 8350->8542 9125 4012b3 8351->9125 8354 4015a4 8356 40125f 7 API calls 8354->8356 8355 401568 9130 4013f9 8355->9130 8359 401594 8356->8359 8358 401572 8360 401585 GetLastError 8358->8360 8361 401576 GetProcAddress 8358->8361 8363 402695 8359->8363 9137 40125f FormatMessageW MessageBoxW 8360->9137 8361->8360 8364 4025bf 2 API calls 8363->8364 8368 4026bd 8364->8368 8365 40271f 8366 4019e3 DloadLock 5 API calls 8365->8366 8367 401968 8366->8367 8370 4036e0 GetModuleHandleW 8367->8370 8368->8365 8369 4011d7 5 API calls 8368->8369 8369->8365 8371 40196e 8370->8371 8371->8319 8372 403809 8371->8372 8373 403586 _abort 28 API calls 8372->8373 8374 40381a 8373->8374 8374->8319 8376 401e3b ___scrt_get_show_window_mode 8375->8376 8377 401edd IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8376->8377 8378 401f27 8377->8378 8378->8297 8380 403545 8379->8380 8381 4019e3 DloadLock 5 API calls 8380->8381 8382 4018b8 8381->8382 8382->8303 8383 4034d2 8382->8383 8384 403501 8383->8384 8385 4019e3 DloadLock 5 API calls 8384->8385 8386 40352a 8385->8386 8386->8307 8388 4037f9 _abort __onexit 8387->8388 8388->8304 8389 40479d _abort 38 API calls 8388->8389 8392 403ee4 8389->8392 8390 403ff1 _abort 38 API calls 8391 403f0e 8390->8391 8392->8390 8394 403586 _abort 28 API calls 8393->8394 8395 4037b7 8394->8395 8395->8321 8397 401ca2 8396->8397 8398 401cb8 8397->8398 9205 403e62 8397->9205 8398->8303 8401 40277e ___scrt_uninitialize_crt 8 API calls 8401->8398 8403 401b31 8402->8403 8404 402750 8403->8404 8405 402755 ___vcrt_initialize_pure_virtual_call_handler 8404->8405 8428 402cd3 8405->8428 8408 402763 8408->8329 8410 40276b 8411 402776 8410->8411 8412 40276f 8410->8412 8442 402731 8411->8442 8445 402d0f 8412->8445 8502 40688b 8416->8502 8419 40277e 8513 402744 8419->8513 8422 40279d 8422->8330 8423 402cb8 ___vcrt_uninitialize_ptd 6 API calls 8424 402791 8423->8424 8425 402d0f ___vcrt_uninitialize_locks DeleteCriticalSection 8424->8425 8426 402796 8425->8426 8516 402c37 8426->8516 8429 402cdc 8428->8429 8431 402d05 8429->8431 8432 40275f 8429->8432 8449 402bcd 8429->8449 8433 402d0f ___vcrt_uninitialize_locks DeleteCriticalSection 8431->8433 8432->8408 8434 402c85 8432->8434 8433->8432 8468 402b1c 8434->8468 8436 402c8f 8441 402c9a 8436->8441 8473 402b90 8436->8473 8438 402ca8 8439 402cb5 8438->8439 8478 402cb8 8438->8478 8439->8410 8441->8410 8487 401000 8442->8487 8446 402d1a 8445->8446 8448 402d39 8445->8448 8447 402d24 DeleteCriticalSection 8446->8447 8447->8447 8447->8448 8448->8408 8454 4028f5 8449->8454 8452 402c04 InitializeCriticalSectionAndSpinCount 8453 402bf0 8452->8453 8453->8429 8455 402925 8454->8455 8456 402929 8454->8456 8455->8456 8458 402949 8455->8458 8461 402995 8455->8461 8456->8452 8456->8453 8458->8456 8459 402955 GetProcAddress 8458->8459 8460 402965 __crt_fast_encode_pointer 8459->8460 8460->8456 8462 4029bd LoadLibraryExW 8461->8462 8467 4029b2 8461->8467 8463 4029f1 8462->8463 8464 4029d9 GetLastError 8462->8464 8466 402a08 FreeLibrary 8463->8466 8463->8467 8464->8463 8465 4029e4 LoadLibraryExW 8464->8465 8465->8463 8466->8467 8467->8455 8469 4028f5 try_get_function 5 API calls 8468->8469 8470 402b36 8469->8470 8471 402b4e TlsAlloc 8470->8471 8472 402b3f 8470->8472 8472->8436 8474 4028f5 try_get_function 5 API calls 8473->8474 8475 402baa 8474->8475 8476 402bc4 TlsSetValue 8475->8476 8477 402bb9 8475->8477 8476->8477 8477->8438 8479 402cc2 8478->8479 8481 402cc8 8478->8481 8482 402b56 8479->8482 8481->8441 8483 4028f5 try_get_function 5 API calls 8482->8483 8484 402b70 8483->8484 8485 402b87 TlsFree 8484->8485 8486 402b7c 8484->8486 8485->8486 8486->8481 8488 40100f 8487->8488 8493 402a16 8488->8493 8490 40102e 8491 401037 8490->8491 8496 40105d 8490->8496 8491->8329 8494 4028f5 try_get_function 5 API calls 8493->8494 8495 402a30 8494->8495 8495->8490 8499 402a56 8496->8499 8498 401077 8498->8491 8500 4028f5 try_get_function 5 API calls 8499->8500 8501 402a70 8500->8501 8501->8498 8505 4068a4 8502->8505 8504 401b43 8504->8333 8504->8419 8506 4019e3 8505->8506 8507 4019f0 8506->8507 8508 402046 IsProcessorFeaturePresent 8506->8508 8507->8504 8509 40205a 8508->8509 8512 40201e SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 8509->8512 8511 402137 8511->8504 8512->8511 8520 401088 8513->8520 8517 402c40 8516->8517 8519 402c66 8516->8519 8518 402c50 FreeLibrary 8517->8518 8517->8519 8518->8517 8519->8422 8523 402a99 8520->8523 8522 40109a 8522->8422 8522->8423 8524 4028f5 try_get_function 5 API calls 8523->8524 8525 402ab3 8524->8525 8525->8522 8527 4025f0 8526->8527 8528 4025d9 8526->8528 8527->8340 8528->8527 8529 4025e6 GetLastError 8528->8529 8529->8527 8533 402ad3 8530->8533 8532 401257 8532->8337 8534 4028f5 try_get_function 5 API calls 8533->8534 8535 402aed 8534->8535 8535->8532 8537 40248c 8536->8537 8537->8344 8537->8537 8539 40527d 8538->8539 8540 405286 8538->8540 8545 405173 8539->8545 8540->8350 9122 4055a6 8542->9122 8565 40479d GetLastError 8545->8565 8547 405180 8585 405292 8547->8585 8549 405188 8594 404f07 8549->8594 8552 40519f 8552->8540 8554 4051b0 8555 4051e2 8554->8555 8608 405334 8554->8608 8621 403f69 8555->8621 8559 4051dd 8618 4043fd 8559->8618 8561 405226 8561->8555 8627 404ddd 8561->8627 8562 4051fa 8562->8561 8563 403f69 _free 20 API calls 8562->8563 8563->8561 8566 4047b3 8565->8566 8567 4047b9 8565->8567 8630 40594d 8566->8630 8571 404808 SetLastError 8567->8571 8637 404034 8567->8637 8570 4047cb 8576 4047d3 8570->8576 8644 4059a3 8570->8644 8571->8547 8573 403f69 _free 20 API calls 8575 4047d9 8573->8575 8578 404814 SetLastError 8575->8578 8576->8573 8577 4047ef 8651 40460f 8577->8651 8656 403ff1 8578->8656 8583 403f69 _free 20 API calls 8584 404801 8583->8584 8584->8571 8584->8578 8586 40529e _abort 8585->8586 8587 40479d _abort 38 API calls 8586->8587 8592 4052a8 8587->8592 8589 40532c _abort 8589->8549 8591 403ff1 _abort 38 API calls 8591->8592 8592->8589 8592->8591 8593 403f69 _free 20 API calls 8592->8593 8971 40572b EnterCriticalSection 8592->8971 8972 405323 8592->8972 8593->8592 8976 404091 8594->8976 8597 404f28 GetOEMCP 8599 404f51 8597->8599 8598 404f3a 8598->8599 8600 404f3f GetACP 8598->8600 8599->8552 8601 403fa3 8599->8601 8600->8599 8602 403fe1 8601->8602 8606 403fb1 _free 8601->8606 8603 4043fd _free 20 API calls 8602->8603 8605 403fdf 8603->8605 8604 403fcc HeapAlloc 8604->8605 8604->8606 8605->8554 8606->8602 8606->8604 8607 4069a0 _free 7 API calls 8606->8607 8607->8606 8609 404f07 40 API calls 8608->8609 8610 405353 8609->8610 8611 40535a 8610->8611 8613 4053a4 IsValidCodePage 8610->8613 8614 4053c9 ___scrt_get_show_window_mode 8610->8614 8612 4019e3 DloadLock 5 API calls 8611->8612 8615 4051d5 8612->8615 8613->8611 8616 4053b6 GetCPInfo 8613->8616 9013 404fdf GetCPInfo 8614->9013 8615->8559 8615->8562 8616->8611 8616->8614 8619 404821 _free 20 API calls 8618->8619 8620 404402 8619->8620 8620->8555 8622 403f9d _free 8621->8622 8623 403f74 HeapFree 8621->8623 8622->8552 8623->8622 8624 403f89 8623->8624 8625 4043fd _free 18 API calls 8624->8625 8626 403f8f GetLastError 8625->8626 8626->8622 9086 404d9a 8627->9086 8629 404e01 8629->8555 8667 40578a 8630->8667 8632 405974 8633 40598c TlsGetValue 8632->8633 8634 405980 8632->8634 8633->8634 8635 4019e3 DloadLock 5 API calls 8634->8635 8636 40599d 8635->8636 8636->8567 8642 404041 _free 8637->8642 8638 404081 8641 4043fd _free 19 API calls 8638->8641 8639 40406c HeapAlloc 8640 40407f 8639->8640 8639->8642 8640->8570 8641->8640 8642->8638 8642->8639 8680 4069a0 8642->8680 8645 40578a _free 5 API calls 8644->8645 8646 4059ca 8645->8646 8647 4059e5 TlsSetValue 8646->8647 8648 4059d9 8646->8648 8647->8648 8649 4019e3 DloadLock 5 API calls 8648->8649 8650 4047e8 8649->8650 8650->8576 8650->8577 8696 4045e7 8651->8696 8804 406b22 8656->8804 8659 404001 8661 40400b IsProcessorFeaturePresent 8659->8661 8662 404029 8659->8662 8664 404016 8661->8664 8840 4037bb 8662->8840 8834 40417d 8664->8834 8668 4057ba __crt_fast_encode_pointer 8667->8668 8671 4057b6 8667->8671 8668->8632 8670 4057e6 GetProcAddress 8670->8668 8671->8668 8672 4057da 8671->8672 8673 405826 8671->8673 8672->8668 8672->8670 8674 405847 LoadLibraryExW 8673->8674 8679 40583c 8673->8679 8675 405864 GetLastError 8674->8675 8676 40587c 8674->8676 8675->8676 8677 40586f LoadLibraryExW 8675->8677 8678 405893 FreeLibrary 8676->8678 8676->8679 8677->8676 8678->8679 8679->8671 8685 4069e4 8680->8685 8682 4019e3 DloadLock 5 API calls 8683 4069e0 8682->8683 8683->8642 8684 4069b6 8684->8682 8686 4069f0 _abort 8685->8686 8691 40572b EnterCriticalSection 8686->8691 8688 4069fb 8692 406a2d 8688->8692 8690 406a22 _abort 8690->8684 8691->8688 8695 405773 LeaveCriticalSection 8692->8695 8694 406a34 8694->8690 8695->8694 8702 404527 8696->8702 8698 40460b 8699 404597 8698->8699 8713 40442b 8699->8713 8701 4045bb 8701->8583 8703 404533 _abort 8702->8703 8708 40572b EnterCriticalSection 8703->8708 8705 40453d 8709 404563 8705->8709 8707 40455b _abort 8707->8698 8708->8705 8712 405773 LeaveCriticalSection 8709->8712 8711 40456d 8711->8707 8712->8711 8714 404437 _abort 8713->8714 8721 40572b EnterCriticalSection 8714->8721 8716 404441 8722 404752 8716->8722 8718 404459 8726 40446f 8718->8726 8720 404467 _abort 8720->8701 8721->8716 8723 404788 __fassign 8722->8723 8724 404761 __fassign 8722->8724 8723->8718 8724->8723 8729 406502 8724->8729 8803 405773 LeaveCriticalSection 8726->8803 8728 404479 8728->8720 8731 406582 8729->8731 8732 406518 8729->8732 8733 403f69 _free 20 API calls 8731->8733 8755 4065d0 8731->8755 8732->8731 8738 403f69 _free 20 API calls 8732->8738 8753 40654b 8732->8753 8734 4065a4 8733->8734 8735 403f69 _free 20 API calls 8734->8735 8736 4065b7 8735->8736 8739 403f69 _free 20 API calls 8736->8739 8737 403f69 _free 20 API calls 8741 406577 8737->8741 8743 406540 8738->8743 8744 4065c5 8739->8744 8740 403f69 _free 20 API calls 8745 406562 8740->8745 8746 403f69 _free 20 API calls 8741->8746 8742 40663e 8747 403f69 _free 20 API calls 8742->8747 8757 4060c1 8743->8757 8750 403f69 _free 20 API calls 8744->8750 8785 4061bf 8745->8785 8746->8731 8752 406644 8747->8752 8749 403f69 20 API calls _free 8754 4065de 8749->8754 8750->8755 8752->8723 8753->8740 8756 40656d 8753->8756 8754->8742 8754->8749 8797 406675 8755->8797 8756->8737 8758 4060d2 8757->8758 8784 4061bb 8757->8784 8759 4060e3 8758->8759 8760 403f69 _free 20 API calls 8758->8760 8761 4060f5 8759->8761 8763 403f69 _free 20 API calls 8759->8763 8760->8759 8762 406107 8761->8762 8764 403f69 _free 20 API calls 8761->8764 8765 406119 8762->8765 8766 403f69 _free 20 API calls 8762->8766 8763->8761 8764->8762 8767 403f69 _free 20 API calls 8765->8767 8768 40612b 8765->8768 8766->8765 8767->8768 8769 403f69 _free 20 API calls 8768->8769 8770 40613d 8768->8770 8769->8770 8771 403f69 _free 20 API calls 8770->8771 8773 40614f 8770->8773 8771->8773 8772 406161 8775 406173 8772->8775 8776 403f69 _free 20 API calls 8772->8776 8773->8772 8774 403f69 _free 20 API calls 8773->8774 8774->8772 8777 406185 8775->8777 8779 403f69 _free 20 API calls 8775->8779 8776->8775 8778 406197 8777->8778 8780 403f69 _free 20 API calls 8777->8780 8781 4061a9 8778->8781 8782 403f69 _free 20 API calls 8778->8782 8779->8777 8780->8778 8783 403f69 _free 20 API calls 8781->8783 8781->8784 8782->8781 8783->8784 8784->8753 8786 4061cc 8785->8786 8796 406224 8785->8796 8787 4061dc 8786->8787 8788 403f69 _free 20 API calls 8786->8788 8789 4061ee 8787->8789 8790 403f69 _free 20 API calls 8787->8790 8788->8787 8791 406200 8789->8791 8792 403f69 _free 20 API calls 8789->8792 8790->8789 8793 403f69 _free 20 API calls 8791->8793 8795 406212 8791->8795 8792->8791 8793->8795 8794 403f69 _free 20 API calls 8794->8796 8795->8794 8795->8796 8796->8756 8798 4066a0 8797->8798 8799 406682 8797->8799 8798->8754 8799->8798 8800 406264 __fassign 20 API calls 8799->8800 8801 40669a 8800->8801 8802 403f69 _free 20 API calls 8801->8802 8802->8798 8803->8728 8843 406a90 8804->8843 8807 406b7d 8808 406b89 _abort 8807->8808 8814 406bb6 _abort 8808->8814 8815 406bb0 _abort 8808->8815 8857 404821 GetLastError 8808->8857 8810 406c02 8811 4043fd _free 20 API calls 8810->8811 8813 406c07 8811->8813 8812 406be5 8888 401a96 8812->8888 8876 404341 8813->8876 8820 406c2e 8814->8820 8879 40572b EnterCriticalSection 8814->8879 8815->8810 8815->8812 8815->8814 8821 406c8d 8820->8821 8823 406c85 8820->8823 8831 406cb8 8820->8831 8880 405773 LeaveCriticalSection 8820->8880 8821->8831 8881 406b74 8821->8881 8826 4037bb _abort 28 API calls 8823->8826 8826->8821 8828 40479d _abort 38 API calls 8832 406d1b 8828->8832 8830 406b74 _abort 38 API calls 8830->8831 8884 406d3d 8831->8884 8832->8812 8833 40479d _abort 38 API calls 8832->8833 8833->8812 8835 404199 _abort ___scrt_get_show_window_mode 8834->8835 8836 4041c5 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8835->8836 8839 404290 _abort 8836->8839 8837 4019e3 DloadLock 5 API calls 8838 4042ae 8837->8838 8838->8662 8839->8837 8907 403586 8840->8907 8846 406a36 8843->8846 8845 403ff6 8845->8659 8845->8807 8847 406a42 _abort 8846->8847 8852 40572b EnterCriticalSection 8847->8852 8849 406a50 8853 406a84 8849->8853 8851 406a77 _abort 8851->8845 8852->8849 8856 405773 LeaveCriticalSection 8853->8856 8855 406a8e 8855->8851 8856->8855 8858 40483a 8857->8858 8861 404840 8857->8861 8859 40594d _free 11 API calls 8858->8859 8859->8861 8860 404034 _free 17 API calls 8862 404852 8860->8862 8861->8860 8863 404897 SetLastError 8861->8863 8864 40485a 8862->8864 8866 4059a3 _free 11 API calls 8862->8866 8865 4048a0 8863->8865 8867 403f69 _free 17 API calls 8864->8867 8865->8815 8868 40486f 8866->8868 8869 404860 8867->8869 8868->8864 8870 404876 8868->8870 8871 40488e SetLastError 8869->8871 8872 40460f _free 17 API calls 8870->8872 8871->8865 8873 404881 8872->8873 8874 403f69 _free 17 API calls 8873->8874 8875 404887 8874->8875 8875->8863 8875->8871 8891 4042c6 8876->8891 8878 40434d 8878->8812 8879->8820 8880->8823 8882 40479d _abort 38 API calls 8881->8882 8883 406b79 8882->8883 8883->8830 8885 406d43 8884->8885 8886 406d0c 8884->8886 8906 405773 LeaveCriticalSection 8885->8906 8886->8812 8886->8828 8886->8832 8889 4019e3 DloadLock 5 API calls 8888->8889 8890 401a38 8889->8890 8890->8659 8892 404821 _free 20 API calls 8891->8892 8893 4042dc 8892->8893 8894 4042ea 8893->8894 8895 40433b 8893->8895 8899 4019e3 DloadLock 5 API calls 8894->8899 8902 404351 IsProcessorFeaturePresent 8895->8902 8897 404340 8898 4042c6 _abort 26 API calls 8897->8898 8900 40434d 8898->8900 8901 404311 8899->8901 8900->8878 8901->8878 8903 40435c 8902->8903 8904 40417d _abort 8 API calls 8903->8904 8905 404371 GetCurrentProcess TerminateProcess 8904->8905 8905->8897 8906->8886 8908 403592 _abort 8907->8908 8909 4036e0 _abort GetModuleHandleW 8908->8909 8917 4035aa 8908->8917 8911 40359e 8909->8911 8911->8917 8941 403724 GetModuleHandleExW 8911->8941 8912 403650 8930 403690 8912->8930 8916 403627 8920 40363f 8916->8920 8925 4034d2 _abort 5 API calls 8916->8925 8929 40572b EnterCriticalSection 8917->8929 8918 403699 8924 401a96 _abort 5 API calls 8918->8924 8919 40366d 8933 40369f 8919->8933 8926 4034d2 _abort 5 API calls 8920->8926 8921 4035b2 8921->8912 8921->8916 8949 403cde 8921->8949 8928 40369e 8924->8928 8925->8920 8926->8912 8929->8921 8952 405773 LeaveCriticalSection 8930->8952 8932 403669 8932->8918 8932->8919 8953 405b68 8933->8953 8936 4036cd 8939 403724 _abort 8 API calls 8936->8939 8937 4036ad GetPEB 8937->8936 8938 4036bd GetCurrentProcess TerminateProcess 8937->8938 8938->8936 8940 4036d5 ExitProcess 8939->8940 8942 403771 8941->8942 8943 40374e GetProcAddress 8941->8943 8945 403780 8942->8945 8946 403777 FreeLibrary 8942->8946 8944 403763 8943->8944 8944->8942 8947 4019e3 DloadLock 5 API calls 8945->8947 8946->8945 8948 40378a 8947->8948 8948->8917 8960 4039f8 8949->8960 8952->8932 8954 405b83 8953->8954 8955 405b8d 8953->8955 8957 4019e3 DloadLock 5 API calls 8954->8957 8956 40578a _free 5 API calls 8955->8956 8959 405ba4 8956->8959 8958 4036a9 8957->8958 8958->8936 8958->8937 8959->8954 8963 4039a7 8960->8963 8962 403a1c 8962->8916 8964 4039b3 _abort 8963->8964 8965 40572b _abort EnterCriticalSection 8964->8965 8966 4039c1 8965->8966 8967 403a67 _abort 20 API calls 8966->8967 8968 4039ce 8967->8968 8969 4039ec _abort LeaveCriticalSection 8968->8969 8970 4039df _abort 8969->8970 8970->8962 8971->8592 8975 405773 LeaveCriticalSection 8972->8975 8974 40532a 8974->8592 8975->8974 8977 4040ae 8976->8977 8983 4040a4 8976->8983 8978 40479d _abort 38 API calls 8977->8978 8977->8983 8979 4040cf 8978->8979 8984 4072df 8979->8984 8983->8597 8983->8598 8985 4072f2 8984->8985 8986 4040e8 8984->8986 8985->8986 8992 40674f 8985->8992 8988 40730c 8986->8988 8989 40731f 8988->8989 8991 407334 8988->8991 8990 405292 __fassign 38 API calls 8989->8990 8989->8991 8990->8991 8991->8983 8993 40675b _abort 8992->8993 8994 40479d _abort 38 API calls 8993->8994 8995 406764 8994->8995 8996 4067b2 _abort 8995->8996 9004 40572b EnterCriticalSection 8995->9004 8996->8986 8998 406782 9005 4067c6 8998->9005 9003 403ff1 _abort 38 API calls 9003->8996 9004->8998 9006 4067d4 __fassign 9005->9006 9008 406796 9005->9008 9007 406502 __fassign 20 API calls 9006->9007 9006->9008 9007->9008 9009 4067b5 9008->9009 9012 405773 LeaveCriticalSection 9009->9012 9011 4067a9 9011->8996 9011->9003 9012->9011 9019 405019 9013->9019 9022 4050c3 9013->9022 9016 4019e3 DloadLock 5 API calls 9018 40516f 9016->9018 9018->8611 9023 406348 9019->9023 9021 407cb9 43 API calls 9021->9022 9022->9016 9024 404091 __fassign 38 API calls 9023->9024 9025 406368 MultiByteToWideChar 9024->9025 9027 4063a6 9025->9027 9035 40643e 9025->9035 9029 403fa3 __onexit 21 API calls 9027->9029 9033 4063c7 ___scrt_get_show_window_mode 9027->9033 9028 4019e3 DloadLock 5 API calls 9030 40507a 9028->9030 9029->9033 9037 407cb9 9030->9037 9031 406438 9042 406465 9031->9042 9033->9031 9034 40640c MultiByteToWideChar 9033->9034 9034->9031 9036 406428 GetStringTypeW 9034->9036 9035->9028 9036->9031 9038 404091 __fassign 38 API calls 9037->9038 9039 407ccc 9038->9039 9046 407a9c 9039->9046 9043 406471 9042->9043 9044 406482 9042->9044 9043->9044 9045 403f69 _free 20 API calls 9043->9045 9044->9035 9045->9044 9047 407ab7 9046->9047 9048 407add MultiByteToWideChar 9047->9048 9049 407c91 9048->9049 9050 407b07 9048->9050 9051 4019e3 DloadLock 5 API calls 9049->9051 9053 403fa3 __onexit 21 API calls 9050->9053 9056 407b28 9050->9056 9052 40509b 9051->9052 9052->9021 9053->9056 9054 407b71 MultiByteToWideChar 9055 407bdd 9054->9055 9057 407b8a 9054->9057 9059 406465 __freea 20 API calls 9055->9059 9056->9054 9056->9055 9073 405a5e 9057->9073 9059->9049 9061 407bb4 9061->9055 9065 405a5e 11 API calls 9061->9065 9062 407bec 9063 403fa3 __onexit 21 API calls 9062->9063 9067 407c0d 9062->9067 9063->9067 9064 407c82 9066 406465 __freea 20 API calls 9064->9066 9065->9055 9066->9055 9067->9064 9068 405a5e 11 API calls 9067->9068 9069 407c61 9068->9069 9069->9064 9070 407c70 WideCharToMultiByte 9069->9070 9070->9064 9071 407cb0 9070->9071 9072 406465 __freea 20 API calls 9071->9072 9072->9055 9074 40578a _free 5 API calls 9073->9074 9075 405a85 9074->9075 9078 405a8e 9075->9078 9081 405ae6 9075->9081 9079 4019e3 DloadLock 5 API calls 9078->9079 9080 405ae0 9079->9080 9080->9055 9080->9061 9080->9062 9082 40578a _free 5 API calls 9081->9082 9083 405b0d 9082->9083 9084 4019e3 DloadLock 5 API calls 9083->9084 9085 405ace LCMapStringW 9084->9085 9085->9078 9087 404da6 _abort 9086->9087 9094 40572b EnterCriticalSection 9087->9094 9089 404db0 9095 404e05 9089->9095 9093 404dc9 _abort 9093->8629 9094->9089 9107 405525 9095->9107 9097 404e53 9098 405525 26 API calls 9097->9098 9099 404e6f 9098->9099 9100 405525 26 API calls 9099->9100 9101 404e8d 9100->9101 9102 404dbd 9101->9102 9103 403f69 _free 20 API calls 9101->9103 9104 404dd1 9102->9104 9103->9102 9121 405773 LeaveCriticalSection 9104->9121 9106 404ddb 9106->9093 9108 405536 9107->9108 9111 405532 9107->9111 9109 40553d 9108->9109 9114 405550 ___scrt_get_show_window_mode 9108->9114 9110 4043fd _free 20 API calls 9109->9110 9112 405542 9110->9112 9111->9097 9113 404341 _abort 26 API calls 9112->9113 9113->9111 9114->9111 9115 405587 9114->9115 9116 40557e 9114->9116 9115->9111 9119 4043fd _free 20 API calls 9115->9119 9117 4043fd _free 20 API calls 9116->9117 9118 405583 9117->9118 9120 404341 _abort 26 API calls 9118->9120 9119->9118 9120->9111 9121->9106 9123 404091 __fassign 38 API calls 9122->9123 9124 4055ba 9123->9124 9124->8350 9126 402475 ___scrt_get_show_window_mode 9125->9126 9127 4012db VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 9126->9127 9128 4019e3 DloadLock 5 API calls 9127->9128 9129 401330 9128->9129 9129->8354 9129->8355 9131 401405 _abort 9130->9131 9132 40142c LoadLibraryW 9131->9132 9140 401496 9131->9140 9149 401457 9132->9149 9136 40144a _abort 9136->8358 9138 4019e3 DloadLock 5 API calls 9137->9138 9139 4012ad 9138->9139 9139->8359 9141 4014b5 9140->9141 9142 4014a5 OutputDebugStringA 9140->9142 9143 4014c6 9141->9143 9148 401428 9141->9148 9157 4015b7 9141->9157 9142->9141 9147 4014e1 GetLastError 9143->9147 9181 401336 9143->9181 9147->9148 9148->9132 9148->9136 9150 401460 9149->9150 9151 401495 9150->9151 9152 401474 GetLastError 9150->9152 9153 40147e 9150->9153 9151->9136 9152->9153 9154 401399 GetProcAddress 9153->9154 9155 40148a 9154->9155 9155->9151 9156 40148e SetLastError 9155->9156 9156->9151 9159 4015c6 _abort 9157->9159 9158 40177c 9160 401a96 _abort 5 API calls 9158->9160 9159->9158 9161 401511 GetProcAddress 9159->9161 9163 401604 9159->9163 9162 401786 9160->9162 9161->9163 9162->9143 9163->9158 9180 4016fc 9163->9180 9185 401511 9163->9185 9165 401336 GetProcAddress 9167 40173e 9165->9167 9167->9158 9194 4013c9 9167->9194 9170 401770 9198 401789 9170->9198 9171 401769 LoadLibraryW 9171->9170 9172 401671 GetModuleFileNameW 9172->9158 9174 401692 9172->9174 9175 4016a3 9174->9175 9176 401696 SetLastError 9174->9176 9190 401366 9175->9190 9176->9158 9179 4016ef GetLastError 9179->9180 9180->9158 9180->9165 9182 401342 9181->9182 9184 401356 9181->9184 9183 401511 GetProcAddress 9182->9183 9183->9184 9184->9147 9184->9148 9186 401521 9185->9186 9187 40152f GetProcAddress 9185->9187 9188 40153b 9186->9188 9189 40152d 9186->9189 9187->9188 9188->9158 9188->9172 9189->9187 9191 401372 9190->9191 9193 401386 9190->9193 9192 401511 GetProcAddress 9191->9192 9192->9193 9193->9179 9193->9180 9195 4013d5 9194->9195 9197 4013e9 9194->9197 9196 401511 GetProcAddress 9195->9196 9196->9197 9197->9170 9197->9171 9201 401399 9198->9201 9202 4013a5 9201->9202 9204 4013b9 9201->9204 9203 401511 GetProcAddress 9202->9203 9203->9204 9204->9158 9208 40690e 9205->9208 9211 406927 9208->9211 9209 4019e3 DloadLock 5 API calls 9210 401cb0 9209->9210 9210->8401 9211->9209 10128 4048a6 10136 4058a1 10128->10136 10131 404821 _free 20 API calls 10132 4048c2 10131->10132 10133 4048cf 10132->10133 10143 4048d2 10132->10143 10135 4048ba 10137 40578a _free 5 API calls 10136->10137 10138 4058c8 10137->10138 10139 4058e0 TlsAlloc 10138->10139 10140 4058d1 10138->10140 10139->10140 10141 4019e3 DloadLock 5 API calls 10140->10141 10142 4048b0 10141->10142 10142->10131 10142->10135 10144 4048dc 10143->10144 10146 4048e2 10143->10146 10147 4058f7 10144->10147 10146->10135 10148 40578a _free 5 API calls 10147->10148 10149 40591e 10148->10149 10150 405936 TlsFree 10149->10150 10151 40592a 10149->10151 10150->10151 10152 4019e3 DloadLock 5 API calls 10151->10152 10153 405947 10152->10153 10153->10146 9301 403867 9302 403873 _abort 9301->9302 9303 4038aa _abort 9302->9303 9309 40572b EnterCriticalSection 9302->9309 9305 403887 9306 4067c6 __fassign 20 API calls 9305->9306 9307 403897 9306->9307 9310 4038b0 9307->9310 9309->9305 9313 405773 LeaveCriticalSection 9310->9313 9312 4038b7 9312->9303 9313->9312 9490 407427 9500 407eef 9490->9500 9494 407434 9513 40811f 9494->9513 9497 40745e 9498 403f69 _free 20 API calls 9497->9498 9499 407469 9498->9499 9517 407ef8 9500->9517 9502 40742f 9503 40807f 9502->9503 9504 40808b _abort 9503->9504 9537 40572b EnterCriticalSection 9504->9537 9506 408101 9551 408116 9506->9551 9507 408096 9507->9506 9510 4080d5 DeleteCriticalSection 9507->9510 9538 408c3e 9507->9538 9509 40810d _abort 9509->9494 9512 403f69 _free 20 API calls 9510->9512 9512->9507 9514 408135 9513->9514 9515 407443 DeleteCriticalSection 9513->9515 9514->9515 9516 403f69 _free 20 API calls 9514->9516 9515->9494 9515->9497 9516->9515 9518 407f04 _abort 9517->9518 9527 40572b EnterCriticalSection 9518->9527 9520 407f13 9521 407fa7 9520->9521 9526 407ea8 66 API calls 9520->9526 9528 407473 EnterCriticalSection 9520->9528 9529 407f9d 9520->9529 9532 407fc7 9521->9532 9524 407fb3 _abort 9524->9502 9526->9520 9527->9520 9528->9520 9535 407487 LeaveCriticalSection 9529->9535 9531 407fa5 9531->9520 9536 405773 LeaveCriticalSection 9532->9536 9534 407fce 9534->9524 9535->9531 9536->9534 9537->9507 9539 408c4a _abort 9538->9539 9540 408c5b 9539->9540 9541 408c70 9539->9541 9542 4043fd _free 20 API calls 9540->9542 9550 408c6b _abort 9541->9550 9554 407473 EnterCriticalSection 9541->9554 9544 408c60 9542->9544 9546 404341 _abort 26 API calls 9544->9546 9545 408c8c 9555 408bc8 9545->9555 9546->9550 9548 408c97 9571 408cb4 9548->9571 9550->9507 9819 405773 LeaveCriticalSection 9551->9819 9553 40811d 9553->9509 9554->9545 9556 408bd5 9555->9556 9557 408bea 9555->9557 9558 4043fd _free 20 API calls 9556->9558 9563 408be5 9557->9563 9574 407e42 9557->9574 9560 408bda 9558->9560 9562 404341 _abort 26 API calls 9560->9562 9562->9563 9563->9548 9564 40811f 20 API calls 9565 408c06 9564->9565 9580 407339 9565->9580 9567 408c0c 9587 408dbc 9567->9587 9570 403f69 _free 20 API calls 9570->9563 9818 407487 LeaveCriticalSection 9571->9818 9573 408cbc 9573->9550 9575 407e56 9574->9575 9576 407e5a 9574->9576 9575->9564 9576->9575 9577 407339 26 API calls 9576->9577 9578 407e7a 9577->9578 9602 408838 9578->9602 9581 407345 9580->9581 9582 40735a 9580->9582 9583 4043fd _free 20 API calls 9581->9583 9582->9567 9584 40734a 9583->9584 9585 404341 _abort 26 API calls 9584->9585 9586 407355 9585->9586 9586->9567 9588 408de0 9587->9588 9589 408dcb 9587->9589 9590 408e1b 9588->9590 9595 408e07 9588->9595 9591 4043ea __dosmaperr 20 API calls 9589->9591 9592 4043ea __dosmaperr 20 API calls 9590->9592 9593 408dd0 9591->9593 9596 408e20 9592->9596 9594 4043fd _free 20 API calls 9593->9594 9599 408c12 9594->9599 9775 408d94 9595->9775 9598 4043fd _free 20 API calls 9596->9598 9600 408e28 9598->9600 9599->9563 9599->9570 9601 404341 _abort 26 API calls 9600->9601 9601->9599 9603 408844 _abort 9602->9603 9604 408864 9603->9604 9605 40884c 9603->9605 9607 408902 9604->9607 9612 408899 9604->9612 9627 4043ea 9605->9627 9609 4043ea __dosmaperr 20 API calls 9607->9609 9611 408907 9609->9611 9610 4043fd _free 20 API calls 9613 408859 _abort 9610->9613 9614 4043fd _free 20 API calls 9611->9614 9630 405d6c EnterCriticalSection 9612->9630 9613->9575 9616 40890f 9614->9616 9618 404341 _abort 26 API calls 9616->9618 9617 40889f 9619 4088d0 9617->9619 9620 4088bb 9617->9620 9618->9613 9631 408923 9619->9631 9621 4043fd _free 20 API calls 9620->9621 9623 4088c0 9621->9623 9624 4043ea __dosmaperr 20 API calls 9623->9624 9625 4088cb 9624->9625 9682 4088fa 9625->9682 9628 404821 _free 20 API calls 9627->9628 9629 4043ef 9628->9629 9629->9610 9630->9617 9632 408951 9631->9632 9669 40894a 9631->9669 9633 408974 9632->9633 9634 408955 9632->9634 9639 4089c5 9633->9639 9640 4089a8 9633->9640 9635 4043ea __dosmaperr 20 API calls 9634->9635 9638 40895a 9635->9638 9636 4019e3 DloadLock 5 API calls 9637 408b2b 9636->9637 9637->9625 9642 4043fd _free 20 API calls 9638->9642 9643 4089db 9639->9643 9685 408bad 9639->9685 9641 4043ea __dosmaperr 20 API calls 9640->9641 9644 4089ad 9641->9644 9645 408961 9642->9645 9688 4084c8 9643->9688 9648 4043fd _free 20 API calls 9644->9648 9649 404341 _abort 26 API calls 9645->9649 9651 4089b5 9648->9651 9649->9669 9654 404341 _abort 26 API calls 9651->9654 9652 408a22 9655 408a36 9652->9655 9656 408a7c WriteFile 9652->9656 9653 4089e9 9657 4089ed 9653->9657 9658 408a0f 9653->9658 9654->9669 9662 408a6c 9655->9662 9663 408a3e 9655->9663 9660 408a9f GetLastError 9656->9660 9666 408a05 9656->9666 9659 408ae3 9657->9659 9695 40845b 9657->9695 9700 4082a8 GetConsoleCP 9658->9700 9659->9669 9670 4043fd _free 20 API calls 9659->9670 9660->9666 9726 40853e 9662->9726 9667 408a43 9663->9667 9668 408a5c 9663->9668 9666->9659 9666->9669 9673 408abf 9666->9673 9667->9659 9711 40861d 9667->9711 9718 40870b 9668->9718 9669->9636 9672 408b08 9670->9672 9675 4043ea __dosmaperr 20 API calls 9672->9675 9676 408ac6 9673->9676 9677 408ada 9673->9677 9675->9669 9679 4043fd _free 20 API calls 9676->9679 9733 4043c7 9677->9733 9680 408acb 9679->9680 9681 4043ea __dosmaperr 20 API calls 9680->9681 9681->9669 9774 405d8f LeaveCriticalSection 9682->9774 9684 408900 9684->9613 9738 408b2f 9685->9738 9760 407dec 9688->9760 9690 4084d8 9691 4084dd 9690->9691 9692 40479d _abort 38 API calls 9690->9692 9691->9652 9691->9653 9693 408500 9692->9693 9693->9691 9694 40851e GetConsoleMode 9693->9694 9694->9691 9698 4084b5 9695->9698 9699 408480 9695->9699 9696 4084b7 GetLastError 9696->9698 9697 408cbe WriteConsoleW CreateFileW 9697->9699 9698->9666 9699->9696 9699->9697 9699->9698 9701 40841d 9700->9701 9709 40830b 9700->9709 9702 4019e3 DloadLock 5 API calls 9701->9702 9704 408457 9702->9704 9704->9666 9705 408391 WideCharToMultiByte 9705->9701 9707 4083b7 WriteFile 9705->9707 9706 4072c5 40 API calls __fassign 9706->9709 9708 408440 GetLastError 9707->9708 9707->9709 9708->9701 9709->9701 9709->9705 9709->9706 9710 4083e8 WriteFile 9709->9710 9769 40609b 9709->9769 9710->9708 9710->9709 9716 40862c 9711->9716 9712 4086ee 9713 4019e3 DloadLock 5 API calls 9712->9713 9715 408707 9713->9715 9714 4086aa WriteFile 9714->9716 9717 4086f0 GetLastError 9714->9717 9715->9666 9716->9712 9716->9714 9717->9712 9725 40871a 9718->9725 9719 408825 9720 4019e3 DloadLock 5 API calls 9719->9720 9721 408834 9720->9721 9721->9666 9722 40879c WideCharToMultiByte 9723 4087d1 WriteFile 9722->9723 9724 40881d GetLastError 9722->9724 9723->9724 9723->9725 9724->9719 9725->9719 9725->9722 9725->9723 9728 40854d 9726->9728 9727 408600 9730 4019e3 DloadLock 5 API calls 9727->9730 9728->9727 9729 4085bf WriteFile 9728->9729 9729->9728 9731 408602 GetLastError 9729->9731 9732 408619 9730->9732 9731->9727 9732->9666 9734 4043ea __dosmaperr 20 API calls 9733->9734 9735 4043d2 _free 9734->9735 9736 4043fd _free 20 API calls 9735->9736 9737 4043e5 9736->9737 9737->9669 9747 405e43 9738->9747 9740 408b41 9741 408b49 9740->9741 9742 408b5a SetFilePointerEx 9740->9742 9743 4043fd _free 20 API calls 9741->9743 9744 408b4e 9742->9744 9745 408b72 GetLastError 9742->9745 9743->9744 9744->9643 9746 4043c7 __dosmaperr 20 API calls 9745->9746 9746->9744 9748 405e50 9747->9748 9749 405e65 9747->9749 9750 4043ea __dosmaperr 20 API calls 9748->9750 9752 4043ea __dosmaperr 20 API calls 9749->9752 9754 405e8a 9749->9754 9751 405e55 9750->9751 9753 4043fd _free 20 API calls 9751->9753 9755 405e95 9752->9755 9757 405e5d 9753->9757 9754->9740 9756 4043fd _free 20 API calls 9755->9756 9758 405e9d 9756->9758 9757->9740 9759 404341 _abort 26 API calls 9758->9759 9759->9757 9761 407e06 9760->9761 9762 407df9 9760->9762 9765 407e12 9761->9765 9766 4043fd _free 20 API calls 9761->9766 9763 4043fd _free 20 API calls 9762->9763 9764 407dfe 9763->9764 9764->9690 9765->9690 9767 407e33 9766->9767 9768 404341 _abort 26 API calls 9767->9768 9768->9764 9770 40479d _abort 38 API calls 9769->9770 9771 4060a6 9770->9771 9772 4072df __fassign 38 API calls 9771->9772 9773 4060b6 9772->9773 9773->9709 9774->9684 9778 408d12 9775->9778 9777 408db8 9777->9599 9779 408d1e _abort 9778->9779 9789 405d6c EnterCriticalSection 9779->9789 9781 408d2c 9782 408d53 9781->9782 9783 408d5e 9781->9783 9790 408e3b 9782->9790 9785 4043fd _free 20 API calls 9783->9785 9786 408d59 9785->9786 9805 408d88 9786->9805 9788 408d7b _abort 9788->9777 9789->9781 9791 405e43 26 API calls 9790->9791 9794 408e4b 9791->9794 9792 408e51 9808 405db2 9792->9808 9794->9792 9795 408e83 9794->9795 9798 405e43 26 API calls 9794->9798 9795->9792 9796 405e43 26 API calls 9795->9796 9799 408e8f CloseHandle 9796->9799 9801 408e7a 9798->9801 9799->9792 9803 408e9b GetLastError 9799->9803 9800 408ecb 9800->9786 9802 405e43 26 API calls 9801->9802 9802->9795 9803->9792 9804 4043c7 __dosmaperr 20 API calls 9804->9800 9817 405d8f LeaveCriticalSection 9805->9817 9807 408d92 9807->9788 9809 405dc1 9808->9809 9810 405e28 9808->9810 9809->9810 9815 405deb 9809->9815 9811 4043fd _free 20 API calls 9810->9811 9812 405e2d 9811->9812 9813 4043ea __dosmaperr 20 API calls 9812->9813 9814 405e18 9813->9814 9814->9800 9814->9804 9815->9814 9816 405e12 SetStdHandle 9815->9816 9816->9814 9817->9807 9818->9573 9819->9553 9314 402c69 9315 402c80 9314->9315 9316 402c73 9314->9316 9316->9315 9317 403f69 _free 20 API calls 9316->9317 9317->9315 9895 4079e9 9898 407a00 9895->9898 9899 407a22 9898->9899 9900 407a0e 9898->9900 9902 407a2a 9899->9902 9903 407a3c 9899->9903 9901 4043fd _free 20 API calls 9900->9901 9904 407a13 9901->9904 9905 4043fd _free 20 API calls 9902->9905 9906 404091 __fassign 38 API calls 9903->9906 9909 4079fb 9903->9909 9907 404341 _abort 26 API calls 9904->9907 9908 407a2f 9905->9908 9906->9909 9907->9909 9910 404341 _abort 26 API calls 9908->9910 9910->9909 9911 4056ea 9912 4056f5 9911->9912 9913 4059fc 11 API calls 9912->9913 9914 40571e 9912->9914 9915 40571a 9912->9915 9913->9912 9917 405742 9914->9917 9918 40576e 9917->9918 9919 40574f 9917->9919 9918->9915 9920 405759 DeleteCriticalSection 9919->9920 9920->9918 9920->9920 10154 4019aa 10155 4036e0 _abort GetModuleHandleW 10154->10155 10156 4019b2 10155->10156 10157 4037bb _abort 28 API calls 10156->10157 10158 4019be 10156->10158 10157->10158 10160 4019c9 _abort 10158->10160 10161 40379d 10158->10161 10162 403586 _abort 28 API calls 10161->10162 10163 4037a8 10162->10163 10163->10160 9820 40342d 9821 403445 9820->9821 9822 40343f 9820->9822 9823 4033a3 20 API calls 9822->9823 9823->9821 10164 4017ae 10165 4017b6 10164->10165 10184 40381f 10165->10184 10167 4017c1 10191 401b55 10167->10191 10169 401841 10170 401e25 ___scrt_initialize_onexit_tables 4 API calls 10169->10170 10171 401848 ___scrt_initialize_default_local_stdio_options 10170->10171 10172 4017d6 __RTC_Initialize 10172->10169 10196 401cf9 10172->10196 10174 4017ef 10174->10169 10175 401800 10174->10175 10199 401db7 InitializeSListHead 10175->10199 10177 401805 10200 401dc3 10177->10200 10179 401828 10206 4038b9 10179->10206 10183 401839 10185 403851 10184->10185 10186 40382e 10184->10186 10185->10167 10186->10185 10187 4043fd _free 20 API calls 10186->10187 10188 403841 10187->10188 10189 404341 _abort 26 API calls 10188->10189 10190 40384c 10189->10190 10190->10167 10192 401b63 10191->10192 10195 401b68 ___scrt_initialize_onexit_tables 10191->10195 10193 401e25 ___scrt_initialize_onexit_tables 4 API calls 10192->10193 10192->10195 10194 401beb 10193->10194 10195->10172 10226 401cbe 10196->10226 10199->10177 10264 403e74 10200->10264 10202 401dd4 10203 401ddb 10202->10203 10204 401e25 ___scrt_initialize_onexit_tables 4 API calls 10202->10204 10203->10179 10205 401de3 10204->10205 10207 40479d _abort 38 API calls 10206->10207 10208 4038c4 10207->10208 10209 4043fd _free 20 API calls 10208->10209 10212 401833 10208->10212 10210 4038f1 10209->10210 10211 404341 _abort 26 API calls 10210->10211 10211->10212 10213 403279 10212->10213 10214 403282 10213->10214 10215 403285 10213->10215 10214->10183 10216 405274 51 API calls 10215->10216 10217 40328c 10216->10217 10270 405667 GetEnvironmentStringsW 10217->10270 10220 403297 10222 403f69 _free 20 API calls 10220->10222 10223 4032cc 10222->10223 10223->10183 10224 4032a2 10225 403f69 _free 20 API calls 10224->10225 10225->10220 10227 401ce2 10226->10227 10228 401cdb 10226->10228 10235 403d38 10227->10235 10232 403cc8 10228->10232 10231 401ce0 10231->10174 10233 403d38 __onexit 29 API calls 10232->10233 10234 403cda 10233->10234 10234->10231 10238 403a20 10235->10238 10241 403956 10238->10241 10240 403a44 10240->10231 10242 403962 _abort 10241->10242 10249 40572b EnterCriticalSection 10242->10249 10244 403970 10250 403b87 10244->10250 10246 40397d 10260 40399b 10246->10260 10248 40398e _abort 10248->10240 10249->10244 10251 403ba5 10250->10251 10258 403b9d __onexit __crt_fast_encode_pointer 10250->10258 10252 403bfe 10251->10252 10253 406816 __onexit 29 API calls 10251->10253 10251->10258 10254 406816 __onexit 29 API calls 10252->10254 10252->10258 10255 403bf4 10253->10255 10256 403c14 10254->10256 10257 403f69 _free 20 API calls 10255->10257 10259 403f69 _free 20 API calls 10256->10259 10257->10252 10258->10246 10259->10258 10263 405773 LeaveCriticalSection 10260->10263 10262 4039a5 10262->10248 10263->10262 10265 403e92 10264->10265 10269 403eb2 10264->10269 10266 4043fd _free 20 API calls 10265->10266 10267 403ea8 10266->10267 10268 404341 _abort 26 API calls 10267->10268 10268->10269 10269->10202 10271 40567e 10270->10271 10281 4056d1 10270->10281 10274 405684 WideCharToMultiByte 10271->10274 10272 403291 10272->10220 10282 4032d2 10272->10282 10273 4056da FreeEnvironmentStringsW 10273->10272 10275 4056a0 10274->10275 10274->10281 10276 403fa3 __onexit 21 API calls 10275->10276 10277 4056a6 10276->10277 10278 4056c3 10277->10278 10279 4056ad WideCharToMultiByte 10277->10279 10280 403f69 _free 20 API calls 10278->10280 10279->10278 10280->10281 10281->10272 10281->10273 10283 4032e7 10282->10283 10284 404034 _free 20 API calls 10283->10284 10293 40330e 10284->10293 10285 403372 10286 403f69 _free 20 API calls 10285->10286 10287 40338c 10286->10287 10287->10224 10288 404034 _free 20 API calls 10288->10293 10289 403374 10291 4033a3 20 API calls 10289->10291 10292 40337a 10291->10292 10295 403f69 _free 20 API calls 10292->10295 10293->10285 10293->10288 10293->10289 10294 403396 10293->10294 10297 403f69 _free 20 API calls 10293->10297 10299 403f0f 10293->10299 10296 404351 _abort 11 API calls 10294->10296 10295->10285 10298 4033a2 10296->10298 10297->10293 10300 403f1c 10299->10300 10301 403f2a 10299->10301 10300->10301 10306 403f41 10300->10306 10302 4043fd _free 20 API calls 10301->10302 10303 403f32 10302->10303 10304 404341 _abort 26 API calls 10303->10304 10305 403f3c 10304->10305 10305->10293 10306->10305 10307 4043fd _free 20 API calls 10306->10307 10307->10303 9318 40606f 9319 406074 9318->9319 9321 406097 9319->9321 9322 405c9f 9319->9322 9323 405cac 9322->9323 9327 405cce 9322->9327 9324 405cc8 9323->9324 9325 405cba DeleteCriticalSection 9323->9325 9326 403f69 _free 20 API calls 9324->9326 9325->9324 9325->9325 9326->9327 9327->9319 9921 405bef 9922 405c20 9921->9922 9923 405bfa 9921->9923 9923->9922 9924 405c0a FreeLibrary 9923->9924 9924->9923 9824 408f31 9825 408f47 9824->9825 9826 408f3b 9824->9826 9826->9825 9827 408f40 CloseHandle 9826->9827 9827->9825 9828 402832 9829 402844 9828->9829 9831 402852 @_EH4_CallFilterFunc@8 9828->9831 9830 4019e3 DloadLock 5 API calls 9829->9830 9830->9831 9328 401f79 9329 401fae 9328->9329 9331 401f89 9328->9331 9331->9329 9333 403ed3 9331->9333 9334 403edf _abort 9333->9334 9335 40479d _abort 38 API calls 9334->9335 9336 403ee4 9335->9336 9337 403ff1 _abort 38 API calls 9336->9337 9338 403f0e 9337->9338 9925 403eff 9926 403f02 9925->9926 9927 403ff1 _abort 38 API calls 9926->9927 9928 403f0e 9927->9928

                          Executed Functions

                          Function 00401557 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 95 401557-401566 call 4012b3 98 4015a4-4015ae call 40125f 95->98 99 401568-401574 call 4013f9 95->99 106 4015b3-4015b4 98->106 104 401585-40158f GetLastError call 40125f 99->104 105 401576-401582 GetProcAddress 99->105 108 401594-4015a2 104->108 105->104 108->106
                          APIs
                            • Part of subcall function 004012B3: VerSetConditionMask.KERNEL32(00000000,00000000,00000001,00000003), ref: 0040130A
                            • Part of subcall function 004012B3: VerSetConditionMask.KERNEL32(00000000,?,00000002,00000003), ref: 00401312
                            • Part of subcall function 004012B3: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 0040131F
                            • Part of subcall function 004013F9: LoadLibraryW.KERNELBASE(?,?,?,?,0040DC80,00000010,00401572,setup.dll), ref: 00401433
                          • GetProcAddress.KERNEL32(00000000,WinMain), ref: 0040157C
                          • GetLastError.KERNEL32(?,setup.dll), ref: 00401586
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ConditionMask$AddressErrorInfoLastLibraryLoadProcVerifyVersion
                          • String ID: WinMain$setup.dll
                          • API String ID: 421461309-1435764911
                          • Opcode ID: 12e81490527b8d2da76c00c9df4043d9dd62bae64d793cc5d78f79dd39fc7d44
                          • Instruction ID: 05d5260d70215a0fbf88be33812195ecb48f559df5a90fa878945f8eb25320a0
                          • Opcode Fuzzy Hash: 12e81490527b8d2da76c00c9df4043d9dd62bae64d793cc5d78f79dd39fc7d44
                          • Instruction Fuzzy Hash: 88E022316C0724A2E20036A22E0AF7A21889F84B04F04027BFD46F96F1DABEC91050AE
                          Function 00401496 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 109 401496-4014a3 110 4014b5-4014bb 109->110 111 4014a5-4014b0 OutputDebugStringA 109->111 112 4014dc-4014df 110->112 113 4014bd-4014bf 110->113 111->110 114 40150a-40150e 112->114 115 4014c1 call 4015b7 113->115 116 4014ca-4014da call 401336 113->116 119 4014c6-4014c8 115->119 116->112 121 4014e1-4014ed GetLastError 116->121 119->116 119->121 122 401502-401508 121->122 123 4014ef-4014f2 121->123 122->114 123->122 124 4014f4-4014f7 123->124 124->122 125 4014f9-4014fb 124->125 125->122 126 4014fd-401500 125->126 126->114 126->122
                          APIs
                          • OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup), ref: 004014AA
                          • GetLastError.KERNEL32 ref: 004014E1
                          Strings
                          • IsolationAware function called after IsolationAwareCleanup, xrefs: 004014A5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: DebugErrorLastOutputString
                          • String ID: IsolationAware function called after IsolationAwareCleanup
                          • API String ID: 4132100945-2690750368
                          • Opcode ID: 882e1215357b1c2429db534c2b582fdcf12ef2f09152e8e3281ee9c5806cd99c
                          • Instruction ID: c7e2465a59290e639e3ab283af3f1b20ea1269b91e9d11a33cff497457a4fd56
                          • Opcode Fuzzy Hash: 882e1215357b1c2429db534c2b582fdcf12ef2f09152e8e3281ee9c5806cd99c
                          • Instruction Fuzzy Hash: A7F0AF7024422166CB3A1FE49E8992B7384E655742B24403BE907F6AF0D738CC51869E
                          Function 0040369F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 194 40369f-4036ab call 405b68 197 4036cd-4036d9 call 403724 ExitProcess 194->197 198 4036ad-4036bb GetPEB 194->198 198->197 199 4036bd-4036c7 GetCurrentProcess TerminateProcess 198->199 199->197
                          APIs
                          • GetCurrentProcess.KERNEL32(00000003,?,00403675,00000003,0040DD00,0000000C,004037CC,00000003,00000002,00000000,?,00404033,00000003), ref: 004036C0
                          • TerminateProcess.KERNEL32(00000000,?,00403675,00000003,0040DD00,0000000C,004037CC,00000003,00000002,00000000,?,00404033,00000003), ref: 004036C7
                          • ExitProcess.KERNEL32 ref: 004036D9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Process$CurrentExitTerminate
                          • String ID:
                          • API String ID: 1703294689-0
                          • Opcode ID: 3999ac7a8cee5972ca15f7f95d0efd166a8004fafbf253e5d94a83531af8baf3
                          • Instruction ID: 05463b616f10625c84ae8cdf7a7ff40c95c60f00cae9acb5adcd51fc374812d9
                          • Opcode Fuzzy Hash: 3999ac7a8cee5972ca15f7f95d0efd166a8004fafbf253e5d94a83531af8baf3
                          • Instruction Fuzzy Hash: 0BE04F31010208AFCF116F61CE0895A3F69EF00742B004435F9046A271CB3EED51CA48
                          Function 004015B7 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 119libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 4015b7-4015d4 call 401a4d 3 4015da-4015e1 0->3 4 40177c-40177e 0->4 3->4 6 4015e7-4015ee 3->6 5 40177f-401786 call 401a96 4->5 8 4015f0-401606 call 401511 6->8 9 401611-40162d 6->9 8->5 14 40160c 8->14 9->5 15 401633-40163b 9->15 14->9 16 401641-401657 call 401511 15->16 17 40172c-401740 call 401336 15->17 16->5 22 40165d-40166b 16->22 17->4 23 401742-401767 call 4013c9 17->23 22->5 29 401671-40168c GetModuleFileNameW 22->29 27 401770-401777 call 401789 23->27 28 401769-40176a LoadLibraryW 23->28 27->4 28->27 29->5 31 401692-401694 29->31 32 4016a3-4016df call 401366 31->32 33 401696-40169e SetLastError 31->33 35 4016e4-4016ed 32->35 33->5 36 401722 35->36 37 4016ef-4016fa GetLastError 35->37 36->17 38 40171a-40171c 37->38 39 4016fc-401701 37->39 38->36 39->38 40 401703-401708 39->40 40->38 41 40170a-40170f 40->41 41->38 42 401711-401714 41->42 42->38 43 401716-401718 42->43 43->5 43->38
                          APIs
                          • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00401684
                          • SetLastError.KERNEL32(0000006F), ref: 00401698
                            • Part of subcall function 00401511: GetProcAddress.KERNEL32(75920AC0,?), ref: 00401533
                          • GetLastError.KERNEL32 ref: 004016EF
                          • LoadLibraryW.KERNELBASE(Comctl32.dll), ref: 0040176A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ErrorLast$AddressFileLibraryLoadModuleNameProc
                          • String ID: $@$Comctl32.dll$GetModuleHandleExW$QueryActCtxW
                          • API String ID: 3640817601-2626125606
                          • Opcode ID: 60faa1725d04bbe2ea76f133465b8538389fbe209c2a31cff199e28f55e84d78
                          • Instruction ID: 263061294b8edc0ec606f485d95ab726506ad3af84afe06e776a4a12d806a4ab
                          • Opcode Fuzzy Hash: 60faa1725d04bbe2ea76f133465b8538389fbe209c2a31cff199e28f55e84d78
                          • Instruction Fuzzy Hash: 9641877090031596DB309F658D89F9A76A9AB54754F2001BBE908F72F0DB7C8E84CF5D
                          Function 00581BC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 179fileprocessCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetTempPathA.KERNELBASE(00000104,?,?,75ECF732,?,2D5DFCB4,?,0F191CF4,?,7F3545C6,?,5DBCE6F0,?,F867A91E,?,F67B91BA), ref: 00581D2A
                          • GetTempFileNameA.KERNELBASE(?,00000000,00000000,?), ref: 00581D3F
                          • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00581D58
                          • WriteFile.KERNELBASE(000000FF,?,?,?,00000000), ref: 00581D7B
                          • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00000000), ref: 00581D96
                          • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00000000,00000044,?,?,00000000), ref: 00581DDB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272861292.0000000000570000.00000040.00001000.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_570000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: File$CreateTemp$ChangeCloseFindNameNotificationPathProcessWrite
                          • String ID: D
                          • API String ID: 4151965806-2746444292
                          • Opcode ID: e89ec4882413938687c8ba932707fc7ed013f9f47082d3d933b3c5f5915e2e72
                          • Instruction ID: d5372873bedb43ce796ac517c0387270caf88f48ec4e0b945b3c242d2bfe0e4b
                          • Opcode Fuzzy Hash: e89ec4882413938687c8ba932707fc7ed013f9f47082d3d933b3c5f5915e2e72
                          • Instruction Fuzzy Hash: 7161F7B5D05209ABDB10EBE0C945FEEBBB9FF84700F108599BA01BB241D7749B41DBA1
                          Function 00581710 Relevance: 4.9, APIs: 3, Instructions: 426memorythreadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,00000014,?,00000003,?,?,00000014,?,?,?,00000003,?), ref: 00581887
                          • VirtualProtect.KERNELBASE(?,00000004,00000040,?,?,00000004,?,00000003,?,?,00000004,?,?,?,00000003,?), ref: 005819BD
                          • CreateThread.KERNELBASE(00000000,00000000,?,?,00000000,00000000,?,?,?,00000003,?,?,?,?,00000008,00000000), ref: 00581B99
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272861292.0000000000570000.00000040.00001000.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_570000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ProtectVirtual$CreateThread
                          • String ID:
                          • API String ID: 3076554488-0
                          • Opcode ID: e84ea90922d8f46759b8683c11c69790b9c1e45dc3dfbed7c9cf8b04840bc4f2
                          • Instruction ID: 1b6e7d18601d58bdbeacb67f0cae26eefa3b8b5abb7de0dd9d7637b63d6a08c5
                          • Opcode Fuzzy Hash: e84ea90922d8f46759b8683c11c69790b9c1e45dc3dfbed7c9cf8b04840bc4f2
                          • Instruction Fuzzy Hash: 7802A574A00109EFCB04DF98C995EAEBBB6FF88304F248199E905BB355C731AE42DB54
                          Function 0058170B Relevance: 3.3, APIs: 2, Instructions: 264memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,00000014,?,00000003,?,?,00000014,?,?,?,00000003,?), ref: 00581887
                          • VirtualProtect.KERNELBASE(?,00000004,00000040,?,?,00000004,?,00000003,?,?,00000004,?,?,?,00000003,?), ref: 005819BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272861292.0000000000570000.00000040.00001000.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_570000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 321c20fbc341e22ee2e578fc2ef814300c27ef83d20e1571af343eb77e51c4ec
                          • Instruction ID: 037c6af5d19f7d6b1b5154f0d77d53807e6d4549a9236162b31bc9ca4ab3d6a5
                          • Opcode Fuzzy Hash: 321c20fbc341e22ee2e578fc2ef814300c27ef83d20e1571af343eb77e51c4ec
                          • Instruction Fuzzy Hash: D5B1B675A00109EFCB04DFD8C995EAEBBBAFF88304F248199E505BB345C635AE02DB54
                          Function 0040125F Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 271 40125f-4012a8 FormatMessageW MessageBoxW call 4019e3 273 4012ad-4012b0 271->273
                          APIs
                          • FormatMessageW.KERNELBASE(00001000,00000000,?,00000000,?,00000400,00000000), ref: 0040128C
                          • MessageBoxW.USER32(00000000,?,00000000,00000000), ref: 0040129C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Message$Format
                          • String ID:
                          • API String ID: 3443136239-0
                          • Opcode ID: 5157386ac25b01b96da23b0a9efd285d927acc99a35dec98911bb6a7d2c3efb9
                          • Instruction ID: 83ac92ec612893d773a93ad2dad24fc9ec345670b0cd320eecb9dcc536a7936b
                          • Opcode Fuzzy Hash: 5157386ac25b01b96da23b0a9efd285d927acc99a35dec98911bb6a7d2c3efb9
                          • Instruction Fuzzy Hash: 8DF01CB2942128BAD7209F91ED09FEBBBACFF49351F004075BA45A6140DA305A18DBE9
                          Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 274 401000-40100d 275 401012-401029 call 402a16 274->275 276 40100f 274->276 278 40102e-401035 275->278 276->275 279 401044-401054 call 40105d 278->279 280 401037 278->280 281 401057-40105c 279->281 280->281 282 401039-401042 280->282 282->281
                          APIs
                          • ___vcrt_EventRegister.LIBVCRUNTIME ref: 00401029
                            • Part of subcall function 0040105D: ___vcrt_EventSetInformation.LIBVCRUNTIME ref: 00401072
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Event___vcrt_$InformationRegister
                          • String ID:
                          • API String ID: 1509250826-0
                          • Opcode ID: 0a39a414e425adb8f795a6342364ddea486703615ee30866936e2464a790e2a5
                          • Instruction ID: b6690cf9133d1a4ab120446c13546b8dbe2e10e225793eb592dd5b7e21ffd045
                          • Opcode Fuzzy Hash: 0a39a414e425adb8f795a6342364ddea486703615ee30866936e2464a790e2a5
                          • Instruction Fuzzy Hash: 25F0C2726002556BC314DE59C941EB7B3A8FB45B10B40012BFD59E7B90E339EC60D6E4
                          Function 004013F9 Relevance: 1.5, APIs: 1, Instructions: 24libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 285 4013f9-401414 call 4019f2 288 401416-40141d 285->288 289 40142c-401445 LoadLibraryW call 401457 285->289 288->289 291 40141f-401423 call 401496 288->291 292 40144a 289->292 295 401428-40142a 291->295 294 40144c-401451 call 401a38 292->294 295->289 295->294
                          APIs
                          • LoadLibraryW.KERNELBASE(?,?,?,?,0040DC80,00000010,00401572,setup.dll), ref: 00401433
                            • Part of subcall function 00401496: OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup), ref: 004014AA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: DebugLibraryLoadOutputString
                          • String ID:
                          • API String ID: 137895185-0
                          • Opcode ID: 590d6d99fe07ae58ae9c1b07831d7a6b33ea1f2c1ef36330c0938a96fd095198
                          • Instruction ID: b8798a45a7312295a03399119593779c3b4c0299f980a3731cea97bb50e861ce
                          • Opcode Fuzzy Hash: 590d6d99fe07ae58ae9c1b07831d7a6b33ea1f2c1ef36330c0938a96fd095198
                          • Instruction Fuzzy Hash: 3CF03071D113189BEF20EFA1C9097AD72B0AB2432AF00413AE414B21F1C7BC8689DF5E
                          Function 004019D9 Relevance: 1.5, APIs: 1, Instructions: 2COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 298 4019d9 call 401d0e 300 4019de 298->300 300->300
                          APIs
                          • ___security_init_cookie.LIBCMT ref: 004019D9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ___security_init_cookie
                          • String ID:
                          • API String ID: 3657697845-0
                          • Opcode ID: 8d044bdfa063e65db4a345aba068586aa188d889df8a63b26edef3d3c8acf882
                          • Instruction ID: bbf794427f172e00cedef15b9afc75fb1630f2018869711aa11eb1dabf8e0e90
                          • Opcode Fuzzy Hash: 8d044bdfa063e65db4a345aba068586aa188d889df8a63b26edef3d3c8acf882
                          • Instruction Fuzzy Hash:

                          Non-executed Functions

                          Function 00401E25 Relevance: 6.1, APIs: 4, Instructions: 75COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00401E32
                          • IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 00401EF4
                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,00000017,?), ref: 00401F13
                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,00000017,?), ref: 00401F1D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                          • String ID:
                          • API String ID: 254469556-0
                          • Opcode ID: 01fc6ae459be8bfc662b0ae850b92f87201ae7e63059c64097db5d4320bd6450
                          • Instruction ID: 76e9eb69e932878ad8b70ed934b8170332e078c41a3195692c2293d3f6192ea4
                          • Opcode Fuzzy Hash: 01fc6ae459be8bfc662b0ae850b92f87201ae7e63059c64097db5d4320bd6450
                          • Instruction Fuzzy Hash: 0F311AB5C0122C9BCB20DFA5D989ACDBBB8FF08304F1041AAE40CA7250E7354A88CF45
                          Function 0040417D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0040426F
                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00404279
                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00404286
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                          • String ID:
                          • API String ID: 3906539128-0
                          • Opcode ID: 5ae5e2bc1264d5c17f259a9c1fac6180fbba0bd3295b171d7becebedbf519134
                          • Instruction ID: 37cb8877af3aa523560ca937e6fc3ab731a51dbf1775207932f5b7737ec66697
                          • Opcode Fuzzy Hash: 5ae5e2bc1264d5c17f259a9c1fac6180fbba0bd3295b171d7becebedbf519134
                          • Instruction Fuzzy Hash: EA31F6B090121C9BCB21DF24DD89B8DB7B4BF08310F5041EAE81CA7291E7789F858F48
                          Function 0040213B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00402154
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: FeaturePresentProcessor
                          • String ID:
                          • API String ID: 2325560087-3916222277
                          • Opcode ID: 2383dfb5f00ab627c044154a30b4b9b455fb689356cbd6f4d9912e0b9a71d690
                          • Instruction ID: e6c7487c95e80319e55c228ab2bb8426ce4d822f6b2b921c9dd23f91317460c9
                          • Opcode Fuzzy Hash: 2383dfb5f00ab627c044154a30b4b9b455fb689356cbd6f4d9912e0b9a71d690
                          • Instruction Fuzzy Hash: A4516DB19002058BEB24CFA9EA9979ABBF4FB48310F14817ED405F76D1D3B8A954CF94
                          Function 00404A94 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: .
                          • API String ID: 0-248832578
                          • Opcode ID: 8ef5e55c77e68964d2d48f48456bd28d6a20392384b3703872169575b4b243d6
                          • Instruction ID: 0201e383bc3022a18bf78847c864b503e43697a7e8e5a4806469773f82c4811f
                          • Opcode Fuzzy Hash: 8ef5e55c77e68964d2d48f48456bd28d6a20392384b3703872169575b4b243d6
                          • Instruction Fuzzy Hash: DA31F4B19002096BDB249E79CC84EEB7BBDDBC5314F0401BEEA18E72D1E638AD458B54
                          Function 0058B588 Relevance: 2.0, Strings: 1, Instructions: 784COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272861292.0000000000570000.00000040.00001000.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_570000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: (
                          • API String ID: 0-3887548279
                          • Opcode ID: 15096769a9a7bd2d57ff740e66d830f063ed9f1d4c76ac7868a32657fa61a9b6
                          • Instruction ID: 317ba7e81cd71204fc6f8d9feaa328ac6e6a3357edda361ef912c5207b61a3e1
                          • Opcode Fuzzy Hash: 15096769a9a7bd2d57ff740e66d830f063ed9f1d4c76ac7868a32657fa61a9b6
                          • Instruction Fuzzy Hash: DE72F9B59002199BDB04DFD8C894BEEBBB5FF88304F14855EE909B7245DB34AA45CFA0
                          Function 00401F6D Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(Function_00001F79,00401856), ref: 00401F72
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: f68bfa4d4370fb6a65822c7a150dcd33007f5d98ff5cadf654fc5640689fd127
                          • Instruction ID: 82433a8220e34c72d70cf302ff13ecef55efb56af34a6edf7987b9446f2236dc
                          • Opcode Fuzzy Hash: f68bfa4d4370fb6a65822c7a150dcd33007f5d98ff5cadf654fc5640689fd127
                          • Instruction Fuzzy Hash:
                          Function 00404410 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: HeapProcess
                          • String ID:
                          • API String ID: 54951025-0
                          • Opcode ID: a8089d9a89d6cf51148d61ef9277d461acee873c806c1fec8d87170ad49f8afe
                          • Instruction ID: a15cc49da17d105673869e4f830e2b9514d5b70b352881367c7cc7b1d38594e8
                          • Opcode Fuzzy Hash: a8089d9a89d6cf51148d61ef9277d461acee873c806c1fec8d87170ad49f8afe
                          • Instruction Fuzzy Hash: 2BA02430100305CFF3004F355F0530C35D575041C0311403C5C11D0170DF30405C5707
                          Function 005832AB Relevance: .8, Instructions: 810COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272861292.0000000000570000.00000040.00001000.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_570000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 44cdec9d0d82a453b28ac20d197758d83c302d53787c970ac562511821793481
                          • Instruction ID: 731457063d51902066880010388cba9ffd518e4fd161b0f2ab1633de70f6088b
                          • Opcode Fuzzy Hash: 44cdec9d0d82a453b28ac20d197758d83c302d53787c970ac562511821793481
                          • Instruction Fuzzy Hash: 7272BAA684E7C19FD7038B345CB9291BFB4AE23205B0F46CBC4C09F4E7E258595AD762
                          Function 00583E73 Relevance: .3, Instructions: 295COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272861292.0000000000570000.00000040.00001000.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_570000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2a720430ec2fbddb7fe8824ac8a1879654366c4feaa8e206b07451b8f4b7d17c
                          • Instruction ID: bf3615fe761f6f7f6a021172cde2f3d14242e288316e9c081ac84af68c364fc1
                          • Opcode Fuzzy Hash: 2a720430ec2fbddb7fe8824ac8a1879654366c4feaa8e206b07451b8f4b7d17c
                          • Instruction Fuzzy Hash: 06C197A684E7D26FD7034B704C6A1817FB4AE23215B0B45DBC4C0CF8E3E258595AD7A3
                          Function 0057B6AA Relevance: .1, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272861292.0000000000570000.00000040.00001000.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_570000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 571e78338bd44dfa4cbbf36e506c6425bebe3278de3c160f8e4e80ec1eb09377
                          • Instruction ID: 0bb4a03f069f2deebc035d4135b753e7c8a2ea7ba450b624d8235ebbd9d2eb5f
                          • Opcode Fuzzy Hash: 571e78338bd44dfa4cbbf36e506c6425bebe3278de3c160f8e4e80ec1eb09377
                          • Instruction Fuzzy Hash: F851BE76D002299BDBA58F95DC85BDDBB75FB88300F1081EAAA0C76251CB742ED1DF90
                          Function 00585718 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272861292.0000000000570000.00000040.00001000.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_570000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4264ae7901b07b385aa7607ff34bf0917237c8bfaf94989e576ce5dff9ebbcab
                          • Instruction ID: ae14267e792a016313b6928c2cce304072004247187f0383f096c5c06a79f949
                          • Opcode Fuzzy Hash: 4264ae7901b07b385aa7607ff34bf0917237c8bfaf94989e576ce5dff9ebbcab
                          • Instruction Fuzzy Hash: AED0ECB190220CFEDB10DADADA45ADEFBBCEB462A0F6000A6B508E3200E6715E005760
                          Function 00588138 Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272861292.0000000000570000.00000040.00001000.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_570000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                          • Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
                          • Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                          • Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595
                          Function 00582380 Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272861292.0000000000570000.00000040.00001000.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_570000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                          • Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
                          • Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                          • Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595
                          Function 00406502 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___free_lconv_mon.LIBCMT ref: 00406546
                            • Part of subcall function 004060C1: _free.LIBCMT ref: 004060DE
                            • Part of subcall function 004060C1: _free.LIBCMT ref: 004060F0
                            • Part of subcall function 004060C1: _free.LIBCMT ref: 00406102
                            • Part of subcall function 004060C1: _free.LIBCMT ref: 00406114
                            • Part of subcall function 004060C1: _free.LIBCMT ref: 00406126
                            • Part of subcall function 004060C1: _free.LIBCMT ref: 00406138
                            • Part of subcall function 004060C1: _free.LIBCMT ref: 0040614A
                            • Part of subcall function 004060C1: _free.LIBCMT ref: 0040615C
                            • Part of subcall function 004060C1: _free.LIBCMT ref: 0040616E
                            • Part of subcall function 004060C1: _free.LIBCMT ref: 00406180
                            • Part of subcall function 004060C1: _free.LIBCMT ref: 00406192
                            • Part of subcall function 004060C1: _free.LIBCMT ref: 004061A4
                            • Part of subcall function 004060C1: _free.LIBCMT ref: 004061B6
                          • _free.LIBCMT ref: 0040653B
                            • Part of subcall function 00403F69: HeapFree.KERNEL32(00000000,00000000,?,00406256,?,00000000,?,00000000,?,0040627D,?,00000007,?,?,0040669A,?), ref: 00403F7F
                            • Part of subcall function 00403F69: GetLastError.KERNEL32(?,?,00406256,?,00000000,?,00000000,?,0040627D,?,00000007,?,?,0040669A,?,?), ref: 00403F91
                          • _free.LIBCMT ref: 0040655D
                          • _free.LIBCMT ref: 00406572
                          • _free.LIBCMT ref: 0040657D
                          • _free.LIBCMT ref: 0040659F
                          • _free.LIBCMT ref: 004065B2
                          • _free.LIBCMT ref: 004065C0
                          • _free.LIBCMT ref: 004065CB
                          • _free.LIBCMT ref: 00406603
                          • _free.LIBCMT ref: 0040660A
                          • _free.LIBCMT ref: 00406627
                          • _free.LIBCMT ref: 0040663F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                          • String ID:
                          • API String ID: 161543041-0
                          • Opcode ID: afc586ee0037577c652be923471042fe137d0d68e291c00321989d2fef7a85fa
                          • Instruction ID: c6104731ab9f1e9f7f98a3f3115c9ba0997c9666a0fd26e26f0054a71c998d39
                          • Opcode Fuzzy Hash: afc586ee0037577c652be923471042fe137d0d68e291c00321989d2fef7a85fa
                          • Instruction Fuzzy Hash: 01315B71A04202AFDB209E3AEC45B57B7E8EF04315F15483FE44AE72D1DF79E9608A18
                          Function 004046A9 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 004046BD
                            • Part of subcall function 00403F69: HeapFree.KERNEL32(00000000,00000000,?,00406256,?,00000000,?,00000000,?,0040627D,?,00000007,?,?,0040669A,?), ref: 00403F7F
                            • Part of subcall function 00403F69: GetLastError.KERNEL32(?,?,00406256,?,00000000,?,00000000,?,0040627D,?,00000007,?,?,0040669A,?,?), ref: 00403F91
                          • _free.LIBCMT ref: 004046C9
                          • _free.LIBCMT ref: 004046D4
                          • _free.LIBCMT ref: 004046DF
                          • _free.LIBCMT ref: 004046EA
                          • _free.LIBCMT ref: 004046F5
                          • _free.LIBCMT ref: 00404700
                          • _free.LIBCMT ref: 0040470B
                          • _free.LIBCMT ref: 00404716
                          • _free.LIBCMT ref: 00404724
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 0d8088e1e21b6cac24fa9eb7ba1d7674f0674c8073aaf8b69bfb2d0fda793c61
                          • Instruction ID: 830d8844530a9cada48ccccb4a8f063c80025f25e2f3d7d385497075e9ea0a55
                          • Opcode Fuzzy Hash: 0d8088e1e21b6cac24fa9eb7ba1d7674f0674c8073aaf8b69bfb2d0fda793c61
                          • Instruction Fuzzy Hash: BB119976A00109FFCB01EFAAD842CDA3F79EF08756F41406ABA085B1A2D775DB509B84
                          Function 004082A8 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408A1D,?,00000000,?,00000000,00000000), ref: 004082EA
                          • __fassign.LIBCMT ref: 00408365
                          • __fassign.LIBCMT ref: 00408380
                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 004083A6
                          • WriteFile.KERNEL32(?,?,00000000,00408A1D,00000000,?,?,?,?,?,?,?,?,?,00408A1D,?), ref: 004083C5
                          • WriteFile.KERNEL32(?,?,00000001,00408A1D,00000000,?,?,?,?,?,?,?,?,?,00408A1D,?), ref: 004083FE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                          • String ID:
                          • API String ID: 1324828854-0
                          • Opcode ID: fe92e44cf3ec50d0149df5d8e412adb0d3d972f524db88bf984a433f62aaaf32
                          • Instruction ID: 697ffde8db92011e1ea2eff21174a8e19afd3536343a9100bf2e964afd437fb7
                          • Opcode Fuzzy Hash: fe92e44cf3ec50d0149df5d8e412adb0d3d972f524db88bf984a433f62aaaf32
                          • Instruction Fuzzy Hash: 7E51927090024A9FCB10CFA8D945AEEBBB4EF49304F14413FE995F7291EB34A951CB69
                          Function 00406264 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406228: _free.LIBCMT ref: 00406251
                          • _free.LIBCMT ref: 004062B2
                            • Part of subcall function 00403F69: HeapFree.KERNEL32(00000000,00000000,?,00406256,?,00000000,?,00000000,?,0040627D,?,00000007,?,?,0040669A,?), ref: 00403F7F
                            • Part of subcall function 00403F69: GetLastError.KERNEL32(?,?,00406256,?,00000000,?,00000000,?,0040627D,?,00000007,?,?,0040669A,?,?), ref: 00403F91
                          • _free.LIBCMT ref: 004062BD
                          • _free.LIBCMT ref: 004062C8
                          • _free.LIBCMT ref: 0040631C
                          • _free.LIBCMT ref: 00406327
                          • _free.LIBCMT ref: 00406332
                          • _free.LIBCMT ref: 0040633D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 6f07f2a9f9584fa9bd23de519d91655df67e7fc45d73107d2c2fa4ed53b52fd5
                          • Instruction ID: dfd72ccc9fe1fb324d7b63f4c625ea057990b71fc4b9721dd57e9e2176c2f1e6
                          • Opcode Fuzzy Hash: 6f07f2a9f9584fa9bd23de519d91655df67e7fc45d73107d2c2fa4ed53b52fd5
                          • Instruction Fuzzy Hash: D7115C71940B05BAD520BBB2DC06FCB7BAC9F04704F410D3EB29AB60D2DB7CE5294A55
                          Function 00408F7F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                          • API String ID: 0-1718035505
                          • Opcode ID: 8b0a81bccd1b12aa39a60215cb88fc58bcf15ff99a66a0a4d787fb99cc55277f
                          • Instruction ID: 29daffa1caa366c5904f29902d8fa635bec665b7b2303b8212e94cd9818bbf10
                          • Opcode Fuzzy Hash: 8b0a81bccd1b12aa39a60215cb88fc58bcf15ff99a66a0a4d787fb99cc55277f
                          • Instruction Fuzzy Hash: 6C01D1B1691223ABCF305FB85E84597238A5A46369310403FE681F32C1DE7E8885A69D
                          Function 00407A9C Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,00405511,00000000,?,?,?,00407CED,?,?,00000100), ref: 00407AF6
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407CED,?,?,00000100,5EFC4D8B,?,?), ref: 00407B7C
                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407C76
                          • __freea.LIBCMT ref: 00407C83
                            • Part of subcall function 00403FA3: HeapAlloc.KERNEL32(00000000,?,00000004,?,00404129,?,00000000,?,00406867,?,00000004,00000000,?,?,?,00403C14), ref: 00403FD5
                          • __freea.LIBCMT ref: 00407C8C
                          • __freea.LIBCMT ref: 00407CB1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide__freea$AllocHeap
                          • String ID:
                          • API String ID: 3147120248-0
                          • Opcode ID: cd3a109eac57bdd3168c261aa1db25a412291b492ce4ae57bba9c46cec3c51c4
                          • Instruction ID: b9649c55ccd508ca824116a82ec8070e672e4870e8c80c5955930764b044a22c
                          • Opcode Fuzzy Hash: cd3a109eac57bdd3168c261aa1db25a412291b492ce4ae57bba9c46cec3c51c4
                          • Instruction Fuzzy Hash: 9951D672A08206ABFB258F65CC41EBB77A9EB44754B15463AFC04F62C0DB3DFC50865A
                          Function 0040479D Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,00403EE4,0040DD88,0000000C,00401FB9), ref: 004047A1
                          • _free.LIBCMT ref: 004047D4
                          • _free.LIBCMT ref: 004047FC
                          • SetLastError.KERNEL32(00000000), ref: 00404809
                          • SetLastError.KERNEL32(00000000), ref: 00404815
                          • _abort.LIBCMT ref: 0040481B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ErrorLast$_free$_abort
                          • String ID:
                          • API String ID: 3160817290-0
                          • Opcode ID: 0e997a7a2c5036c2127036f3bd71df4a173c02d2cdd5cbf33ee35c75768743fa
                          • Instruction ID: 4343d886cee5211a58d65c4b6bd801fdd66dc7b193e67d63045320691cd35f16
                          • Opcode Fuzzy Hash: 0e997a7a2c5036c2127036f3bd71df4a173c02d2cdd5cbf33ee35c75768743fa
                          • Instruction Fuzzy Hash: 49F0D1B6100600ABC2123626AC06E1B26298BC2B2AF25403BFB14F32D2EF7D8802457D
                          Function 0040231B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON
                          Download Yara Rule
                          APIs
                          • _ValidateLocalCookies.LIBCMT ref: 00402346
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 004023C0
                            • Part of subcall function 00409512: __FindPESection.LIBCMT ref: 0040956B
                          • _ValidateLocalCookies.LIBCMT ref: 00402434
                          • _ValidateLocalCookies.LIBCMT ref: 0040245F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CookiesLocalValidate$CurrentFindImageNonwritableSection
                          • String ID: csm
                          • API String ID: 1685366865-1018135373
                          • Opcode ID: 7c8b1fcd99a810d27eb46590907131993aab51919a401a572ff47d24a59f1573
                          • Instruction ID: b661de8250a22a9023056c8771a086a483a6d180cc4e7ad2493a52a46e73069e
                          • Opcode Fuzzy Hash: 7c8b1fcd99a810d27eb46590907131993aab51919a401a572ff47d24a59f1573
                          • Instruction Fuzzy Hash: CC41A130900204ABCF10DF69C989A9FBBA5AF45318F14C17BE8147B3D2C7B99945CB99
                          Function 00403724 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004036D5,00000003,?,00403675,00000003,0040DD00,0000000C,004037CC,00000003,00000002), ref: 00403744
                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403757
                          • FreeLibrary.KERNEL32(00000000,?,?,?,004036D5,00000003,?,00403675,00000003,0040DD00,0000000C,004037CC,00000003,00000002,00000000), ref: 0040377A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 4061214504-1276376045
                          • Opcode ID: 45a98e9e970b7dc50b4b1b25a9418c92813c7968d359b12884e088b448538c38
                          • Instruction ID: 6a87ba44e7975e3ac6c01227edf19c8d8185b9220987c5095947443d41d5ddc7
                          • Opcode Fuzzy Hash: 45a98e9e970b7dc50b4b1b25a9418c92813c7968d359b12884e088b448538c38
                          • Instruction Fuzzy Hash: 5FF04471900208BBCB119FA0DD49B9E7FB8EB44716F104179F805B22A0CB785A94DB99
                          Function 00403B87 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: 9a897223dab81620862c838673dd6e85a0ecf639c8f03ed3fe077cd053c78f8e
                          • Instruction ID: 47087338e3935604a0ec683543ddee363c625edd6e17e86d3b53ece20c4b04d6
                          • Opcode Fuzzy Hash: 9a897223dab81620862c838673dd6e85a0ecf639c8f03ed3fe077cd053c78f8e
                          • Instruction Fuzzy Hash: 2641E133E002049BDB20DF78C980A5ABBB9EF89714F15857AE511FB382D635AE018B84
                          Function 00405667 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentStringsW.KERNEL32 ref: 00405670
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00405693
                            • Part of subcall function 00403FA3: HeapAlloc.KERNEL32(00000000,?,00000004,?,00404129,?,00000000,?,00406867,?,00000004,00000000,?,?,?,00403C14), ref: 00403FD5
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004056B9
                          • _free.LIBCMT ref: 004056CC
                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004056DB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                          • String ID:
                          • API String ID: 2278895681-0
                          • Opcode ID: ecdca04bf8f692c56b3cbb040eb37f395e4548af417934448c139bfbedf9708b
                          • Instruction ID: a809c0cda03634f5e3daafeaaa9ad3076113c1d6fe3595c8315df8f62dd4fb3b
                          • Opcode Fuzzy Hash: ecdca04bf8f692c56b3cbb040eb37f395e4548af417934448c139bfbedf9708b
                          • Instruction Fuzzy Hash: C301F562A01B197FE7201A665C48C7B3D6CDAC2BA1350053BB908E6280DABA8C0185B9
                          Function 00404821 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,?,00404402,00404147,?,00406867,?,00000004,00000000,?,?,?,00403C14,?,00000000), ref: 00404826
                          • _free.LIBCMT ref: 0040485B
                          • _free.LIBCMT ref: 00404882
                          • SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040488F
                          • SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00404898
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ErrorLast$_free
                          • String ID:
                          • API String ID: 3170660625-0
                          • Opcode ID: fc2af57ee4d587d0cc53c085ad46fa9651c8a39ea0959dcf500d072422552113
                          • Instruction ID: 826d2ad4ef0861ae93cbcc0c26e79fbef6a848ead66661a5aeda7ecef36d4f07
                          • Opcode Fuzzy Hash: fc2af57ee4d587d0cc53c085ad46fa9651c8a39ea0959dcf500d072422552113
                          • Instruction Fuzzy Hash: 6701DBBB100740A7D2117A756D45D2B262DDBC1379B24483BF714F22D1EA7DCC02452D
                          Function 004061BF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 004061D7
                            • Part of subcall function 00403F69: HeapFree.KERNEL32(00000000,00000000,?,00406256,?,00000000,?,00000000,?,0040627D,?,00000007,?,?,0040669A,?), ref: 00403F7F
                            • Part of subcall function 00403F69: GetLastError.KERNEL32(?,?,00406256,?,00000000,?,00000000,?,0040627D,?,00000007,?,?,0040669A,?,?), ref: 00403F91
                          • _free.LIBCMT ref: 004061E9
                          • _free.LIBCMT ref: 004061FB
                          • _free.LIBCMT ref: 0040620D
                          • _free.LIBCMT ref: 0040621F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 3e8a07f16560c0274265ba096d478be047e6d67bafe36cf7776a5d273f3102ed
                          • Instruction ID: 856cd0a66e3018a18ee3598979e1d10918e0298b17425f3228547c94b2cf1815
                          • Opcode Fuzzy Hash: 3e8a07f16560c0274265ba096d478be047e6d67bafe36cf7776a5d273f3102ed
                          • Instruction Fuzzy Hash: 10F04F329182016BC620EF69F985C1777EDEA087103550C3EF409F7A91CB39FD914A6C
                          Function 00403DD9 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00403DF7
                            • Part of subcall function 00403F69: HeapFree.KERNEL32(00000000,00000000,?,00406256,?,00000000,?,00000000,?,0040627D,?,00000007,?,?,0040669A,?), ref: 00403F7F
                            • Part of subcall function 00403F69: GetLastError.KERNEL32(?,?,00406256,?,00000000,?,00000000,?,0040627D,?,00000007,?,?,0040669A,?,?), ref: 00403F91
                          • _free.LIBCMT ref: 00403E09
                          • _free.LIBCMT ref: 00403E1C
                          • _free.LIBCMT ref: 00403E2D
                          • _free.LIBCMT ref: 00403E3E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 9cf22ce1d3f366fbff18a08185e48d68a74567e71b4087104ef32aa8b84a46b3
                          • Instruction ID: 10ac36483fbfb8ee9ee91a1ac259454efc0d724431090f86ed28a107e31dd657
                          • Opcode Fuzzy Hash: 9cf22ce1d3f366fbff18a08185e48d68a74567e71b4087104ef32aa8b84a46b3
                          • Instruction Fuzzy Hash: E5F03075814111ABD6616F78FD014463FA8FB18721340023BF411B2BF1C7B94A858ECC
                          Function 00402F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe,00000104), ref: 00402FC0
                          • _free.LIBCMT ref: 0040308B
                          • _free.LIBCMT ref: 00403095
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: _free$FileModuleName
                          • String ID: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.19720.20983.exe
                          • API String ID: 2506810119-991153524
                          • Opcode ID: 30b9f01f20f0c4a241bb883df8deb9666c8d97919e9fa422dcd751e88dc592bc
                          • Instruction ID: 7bd695e11813faf464462efa7a5951299f1f0b15a16e37c62483ac8694e21ae2
                          • Opcode Fuzzy Hash: 30b9f01f20f0c4a241bb883df8deb9666c8d97919e9fa422dcd751e88dc592bc
                          • Instruction Fuzzy Hash: 2E319271A00208AFDB21DF9ADD8499EBBBCEF85714B10407BE904B7281D6784B459B99
                          Function 00406348 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,00405511,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 00406395
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040641E
                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00406430
                          • __freea.LIBCMT ref: 00406439
                            • Part of subcall function 00403FA3: HeapAlloc.KERNEL32(00000000,?,00000004,?,00404129,?,00000000,?,00406867,?,00000004,00000000,?,?,?,00403C14), ref: 00403FD5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$AllocHeapStringType__freea
                          • String ID:
                          • API String ID: 573072132-0
                          • Opcode ID: c2736fa637a8d2532378158561afd99dc03f6419e965a6c9942649113353f41f
                          • Instruction ID: a641f0f11edde69a772fa4a9a6b80a750ff0bb2d675bac133d9948ba42b9652a
                          • Opcode Fuzzy Hash: c2736fa637a8d2532378158561afd99dc03f6419e965a6c9942649113353f41f
                          • Instruction Fuzzy Hash: DF31EE72A0021AAFDB259F65CC41EAF7BA5EB40314B05413AFC05E6290E739CD65CBA8
                          Function 00405826 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004057CD,00000000,00000000,00000000,00000000,?,004059CA,00000006,FlsSetValue), ref: 00405858
                          • GetLastError.KERNEL32(?,004057CD,00000000,00000000,00000000,00000000,?,004059CA,00000006,FlsSetValue,0040ABD8,0040ABE0,00000000,00000364,?,0040486F), ref: 00405864
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004057CD,00000000,00000000,00000000,00000000,?,004059CA,00000006,FlsSetValue,0040ABD8,0040ABE0,00000000), ref: 00405872
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: LibraryLoad$ErrorLast
                          • String ID:
                          • API String ID: 3177248105-0
                          • Opcode ID: 5472892c2aec6f1bef93b09d9949894ea5de6a643368c0790391b0c818083d4c
                          • Instruction ID: eaf637194a8ce5000b4933de7a4375270689a5dfb29f2c213a2935ba5bf204f5
                          • Opcode Fuzzy Hash: 5472892c2aec6f1bef93b09d9949894ea5de6a643368c0790391b0c818083d4c
                          • Instruction Fuzzy Hash: 7A01B133601B269BD7216A79AC44E5B7B58EB457A17258631FD0AF3280C734D8218AE9
                          Function 00404904 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00404A70
                            • Part of subcall function 00404351: IsProcessorFeaturePresent.KERNEL32(00000017,00404340,00000000,?,00000004,00000000,?,?,?,?,0040434D,00000000,00000000,00000000,00000000,00000000), ref: 00404353
                            • Part of subcall function 00404351: GetCurrentProcess.KERNEL32(C0000417), ref: 00404375
                            • Part of subcall function 00404351: TerminateProcess.KERNEL32(00000000), ref: 0040437C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2272659295.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.2272637068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272690718.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272717764.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2272739204.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                          • String ID: *?$.
                          • API String ID: 2667617558-3972193922
                          • Opcode ID: 6e227bcadd0c2e78b14753c752197b419a94e98d140a0b72dff6ab6734fe4836
                          • Instruction ID: 17e61884d2bb1c89dd2b8808b701248a1e6e68b2176f54053f3246ae37b43581
                          • Opcode Fuzzy Hash: 6e227bcadd0c2e78b14753c752197b419a94e98d140a0b72dff6ab6734fe4836
                          • Instruction Fuzzy Hash: 6F5194B5E001099FDF14DFA9C841AAEB7B5EF98314F24417EE944F7381E6399E018B58