Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll
Analysis ID:	1446231
MD5:	0c30edd3251f1b2c9a60c16d8b543914
SHA1:	6473905dbc9ce63ffdf8c3ce82c8e564fa5d2cd7
SHA256:	78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60
Tags:	dll
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Drops executable to a common third party application directory

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations

Binary contains a suspicious time stamp

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5952 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5340 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 2724 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

regsvr32.exe (PID: 2024 cmdline: regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

4BD.tmp (PID: 7108 cmdline: C:\Users\user\AppData\Local\Temp\4BD.tmp MD5: C610E7CCD6859872C585B2A85D7DC992)

rundll32.exe (PID: 6600 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll,??0_Mutex@std@@QAE@W4_Uninitialized@1@@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5860 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll,??4_Init_locks@std@@QAEAAV01@ABV01@@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6408 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll,DllCanUnloadNow MD5: 889B99C52A60DD49227C5E485A016679)

27D5.tmp (PID: 5880 cmdline: C:\Users\user\AppData\Local\Temp\27D5.tmp MD5: C610E7CCD6859872C585B2A85D7DC992)

cleanup

Sigma Signatures

System Summary

Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations

Source: Registry Key set

Author: Nasreddine Bencherchali (Nextron Systems): Data: Details: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\loaddll32.exe, ProcessId: 5952, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32\(Default)

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://login.microsoftonline.de/common	Avira URL Cloud: Label: phishing
Source: https://login.microsoftonline.microsoft.scloud/common	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe

Avira: detection malicious, Label: HEUR/AGEN.1363959

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll

ReversingLabs: Detection: 60%

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cpl	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dll	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\glib-lite.dll	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dll	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\gstreamer-lite.dll	Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL

Source: C:\Windows\System32\loaddll32.exe

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjava\java.pdb source: java.dll.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.10.dr
Source:	Binary string: D:\T\BuildResults\bin\Release\AcroPDF.pdb source: AcroPDF.dll.10.dr
Source:	Binary string: PDFPrevHndlr.pdb source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll
Source:	Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\\mfc140u.i386.pdb source: mfc140u.dll0.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.10.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsdt\jsdt.pdb source: jsdt.dll.10.dr
Source:	Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\\mfc140u.i386.pdbGCTL source: mfc140u.dll0.10.dr
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.10.dr
Source:	Binary string: MicrosoftEdgeUpdateCore_unsigned.pdb source: MicrosoftEdgeUpdateCore.exe.10.dr
Source:	Binary string: r.pdb source: AppSharingHookController.exe.10.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\win_clang_x86\ie_to_edge_bho.dll.pdb source: ie_to_edge_bho.dll.10.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\win_clang_x86\ie_to_edge_bho.dll.pdbOGP source: ie_to_edge_bho.dll.10.dr
Source:	Binary string: D:\a\1\s\bins\release\x86\file\pdf_only\mip_pdf_sdk.pdb source: mip_pdf_sdk.dll.10.dr
Source:	Binary string: MicrosoftEdgeUpdateCore_unsigned.pdbd source: MicrosoftEdgeUpdateCore.exe.10.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mce_office.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPST32.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\JitV.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSAEXP30.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\OUTLVBA.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\gstreamer-lite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\msedgeupdate.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\onmain.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VVIEWER.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SHAREPOINTPROVIDER.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocpptview.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\EBWebView\x86\EmbeddedBrowserWebView.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DLGSETP.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SOCIALCONNECTOR.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\RECALL.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpDetours.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLMAPI32.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPUB.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLKFSTUB.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\UmOutlookAddin.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EntityPicker.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\protocolhandler.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OIMG.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\splashscreen.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OutlookWebHost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Psom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\deployJava1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AGM.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OMICAUT.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Appshapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_bho.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\glib-lite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jdwp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PUBCONV.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPCORE.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AIDE.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AutoHelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\appshvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mce.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetours.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\cpprestsdk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mip_pdf_sdk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\ACE.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocimport.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\plugin2\npjp2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office15\pidgenx.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\eula.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpDetoursCopyAccelerator.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Uc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIANEXT.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SEQCHK10.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSRTEDIT.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\goopdate.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Tec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Cpprest141_2_10.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2ssv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\concrt140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OWSSUPP.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OsfTaskuser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\STSCOPY.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SOA.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\MSVCR71.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\hprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLVBS.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WWLIB.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSPECTRE.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAME.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_bho.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEAWSDC.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\roottools.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EMSMDB32.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIA.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACEDAO.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXSEC32.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONFILTER.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\concrt140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\v8jsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\RTC.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\EBWebView\x86\EmbeddedBrowserWebView.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Win32MsgQueue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat32OL.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PSTPRX32.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLFLTR.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\1033\XLSLICER.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2iexp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\scdec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcOffice.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLCTL.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\msvcr120.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLPH.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MAPIPH.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocrec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIBUtils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msvcr110.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VVIEWDWG.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\atl110.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\mfc140u.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\deploy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\appsharingmediaprovider.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\management.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIB.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller\pidgenx.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeFileLinkHandlingComponent.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MeetingJoinAxOC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mfc140u.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4BD.tmp	Code function: 7_2_00581480 _snwprintf,FindFirstFileW,wcscmp,wcscmp,_snwprintf,FindNextFileW,FindClose,		7_2_00581480
Source: C:\Users\user\AppData\Local\Temp\4BD.tmp	Code function: 7_2_005813A0 _snwprintf,FindFirstFileW,wcscmp,wcscmp,_snwprintf,FindNextFileW,FindClose,		7_2_005813A0

Source: mip_pdf_sdk.dll.10.dr	String found in binary or memory: http://aka.ms/aippdf)
Source: java.dll.10.dr	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsup
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2023/07/mpsigstub_36fee640c8a9a0
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2023/09/am_user_258d635036a1f7
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2023/09/am_user_patch_1.1.2307
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2023/09/am_user_patch_1.1.2308
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2023/09/am_user_patch_1.1.2309
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownlo
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/softw
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2023/08/am_user_2b5004f02272fb
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2023/08/am_user_patch_1.1.2307
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2023/08/am_user_patch_1.1.2308
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2023/09/am_user_08ca6fd681f4dc
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2023/09/am_user_patch_1.1.2307
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2023/09/am_user_patch_1.1.2308
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2023/09/am_user_patch_1.1.2309
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2023/09/updateplatform.amd64fre_
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2023/10/am_base_4c52e39ff7f931fe
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2023/10/am_base_patch1_42a8e24ba
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2023/10/am_delta_patch_1.399.18.
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/ftpk/2023/08/windows10.0-kb5011048-x6
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2023/08/windows10.0-kb5029923-x6
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/updt/2023/09/windows10.0-kb5001716-x6
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/uprl/2023/09/windows-kb890830-x64-v5.
Source: 27D5.tmp, 0000000A.00000003.2423215058.0000000001C4E000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2433636802.0000000001CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: 27D5.tmp, 0000000A.00000003.2432933050.0000000001D3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2418094648.0000000001CBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: 27D5.tmp, 0000000A.00000003.2423215058.0000000001C4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: 27D5.tmp, 0000000A.00000003.2433636802.0000000001CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: 27D5.tmp, 0000000A.00000003.2433636802.0000000001CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: 27D5.tmp, 0000000A.00000003.2423215058.0000000001C4E000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2433636802.0000000001CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: 27D5.tmp, 0000000A.00000003.2423215058.0000000001C4E000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2433636802.0000000001CDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: 27D5.tmp, 0000000A.00000003.2432933050.0000000001C85000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2424607846.0000000001D10000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2433636802.0000000001D11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: 27D5.tmp, 0000000A.00000003.2418094648.0000000001CBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: java.dll.10.dr	String found in binary or memory: http://java.oracle.com/
Source: java.dll.10.dr	String found in binary or memory: http://java.oracle.com/java.vendor.url.bughttp://bugreport.sun.com/bugreport/%d.%djava.class.version
Source: helper.exe.10.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: mip_pdf_sdk.dll.10.dr	String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.d
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.de
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.deli
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.delive
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.delivery
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.delivery.m
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.delivery.mp.
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.delivery.mp.mi
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000002636000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.delivery.mp.micr
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.delivery.mp.micrBosoft.com/filestreamingservice/files/e5fd51e1-714d-4a9f-ad84-b9c7c9da
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.delivery.mp.micraosoft.com/filestreamingservice/files/a730fbc0-b3e6-42bf-9776-5c1a9503
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.delivery.mp.micros
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.delivery.mp.micros5oft.com/filestreamingservice/files/621f41c6-598e-4516-bb23-be21d146
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.delivery.mp.microsLoft.com/filestreamingservice/files/ae12b07d-3012-4812-92a3-bdc1df33
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.delivery.mp.microsof
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.delivery.mp.microsoft.
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.delivery.mp.microsoft.8com/filestreamingservice/files/1e08863d-491b-4609-a0f8-bd8fb8ab
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.delivery.mp.microsoft.co
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tlu.dl.delivery.mp.microsoft.coEm/filestreamingservice/files/17a1f764-1e22-4005-ad95-0bc97022
Source: Aut2exe.exe.10.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: Aut2exe.exe.10.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: mip_pdf_sdk.dll.10.dr	String found in binary or memory: https://api.Unsupported
Source: 27D5.tmp, 0000000A.00000003.2422799789.0000000001476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.147.37?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B
Source: 27D5.tmp, 0000000A.00000003.2422799789.0000000001476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B
Source: 27D5.tmp, 0000000A.00000003.2423215058.0000000001CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: 27D5.tmp, 0000000A.00000003.2432933050.0000000001CAA000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2432933050.0000000001C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: 27D5.tmp, 0000000A.00000003.2418094648.0000000001CBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: 27D5.tmp, 0000000A.00000003.2423215058.0000000001CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: 27D5.tmp, 0000000A.00000003.2423215058.0000000001CD9000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2423215058.0000000001D2A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2423215058.0000000001CF8000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2432933050.0000000001D20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: 27D5.tmp, 0000000A.00000003.2417891518.0000000001C33000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2422986086.0000000001C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: 27D5.tmp, 0000000A.00000003.2423215058.0000000001CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: mip_pdf_sdk.dll.10.dr	String found in binary or memory: https://login.chinacloudapi.cn/common
Source: mip_pdf_sdk.dll.10.dr	String found in binary or memory: https://login.microsoftonline.de/common
Source: mip_pdf_sdk.dll.10.dr	String found in binary or memory: https://login.microsoftonline.eaglex.ic.gov/common
Source: mip_pdf_sdk.dll.10.dr	String found in binary or memory: https://login.microsoftonline.microsoft.scloud/common
Source: mip_pdf_sdk.dll.10.dr	String found in binary or memory: https://login.microsoftonline.us/common
Source: mip_pdf_sdk.dll.10.dr	String found in binary or memory: https://login.windows.net/common
Source: 27D5.tmp, 0000000A.00000003.2423215058.0000000001CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: 27D5.tmp, 0000000A.00000003.2432933050.0000000001CAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: 27D5.tmp, 0000000A.00000003.2432933050.0000000001D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: mip_pdf_sdk.dll.10.dr	String found in binary or memory: https://syncservice.o365syncservice.com/
Source: mip_pdf_sdk.dll.10.dr	String found in binary or memory: https://syncservice.o365syncservice.com/https://login.windows.net/commondataservice.protection.outlo

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EDD90B	0_2_00EDD90B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ED52DB	0_2_00ED52DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ED624C	0_2_00ED624C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00A4D90B	4_2_00A4D90B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00A452DB	4_2_00A452DB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00A4624C	4_2_00A4624C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02D952DB	5_2_02D952DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02D9624C	5_2_02D9624C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02D9D90B	5_2_02D9D90B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00BFD90B	6_2_00BFD90B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00BF52DB	6_2_00BF52DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00BF624C	6_2_00BF624C
Source: C:\Users\user\AppData\Local\Temp\4BD.tmp	Code function: 7_2_00587420	7_2_00587420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0313624C	8_2_0313624C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_031352DB	8_2_031352DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0313D90B	8_2_0313D90B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0318624C	9_2_0318624C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_031852DB	9_2_031852DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0318D90B	9_2_0318D90B

Source: OneDriveSetup.exe.10.dr	Static PE information: Resource name: PAYLOAD type: Microsoft Cabinet archive data, many, 47694794 bytes, 767 files, at 0x44 +A "adal.dll" +A "alertIcon.png", flags 0x4, number 1, extra bytes 20 in head, 6100 datablocks, 0x1503 compression
Source: Acrobat.exe.10.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)

Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll

Binary or memory string: OriginalFilenamePDFPrevHndlr.dllT vs SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll

Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL

Source: 27D5.tmp.0.dr	Static PE information: Section: .data ZLIB complexity 0.9983910379955947
Source: 4BD.tmp.4.dr	Static PE information: Section: .data ZLIB complexity 0.9983910379955947
Source: 4BE.tmp.5.dr	Static PE information: Section: .data ZLIB complexity 0.9983910379955947
Source: 4DC.tmp.6.dr	Static PE information: Section: .data ZLIB complexity 0.9983910379955947
Source: 1084.tmp.8.dr	Static PE information: Section: .data ZLIB complexity 0.9983910379955947
Source: 1C3C.tmp.9.dr	Static PE information: Section: .data ZLIB complexity 0.9983910379955947

Source: classification engine

Classification label: mal80.spre.winDLL@18/128@0/0

Source: C:\Users\user\AppData\Local\Temp\4BD.tmp

Code function: 7_2_005812D0 SetErrorMode,GetLogicalDrives,_snwprintf,GetDriveTypeW,GetDiskFreeSpaceW,

7_2_005812D0

Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Mutant created: \Sessions\1\BaseNamedObjects\GA2RZNbm
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03

Source: C:\Windows\System32\loaddll32.exe

File created: C:\Users\user\AppData\Local\Temp\27D5.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\27D5.tmp

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll,??0_Mutex@std@@QAE@W4_Uninitialized@1@@Z

Source: mip_pdf_sdk.dll.10.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: mip_pdf_sdk.dll.10.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);

Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll

ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll,??0_Mutex@std@@QAE@W4_Uninitialized@1@@Z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll",#1
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Users\user\AppData\Local\Temp\4BD.tmp C:\Users\user\AppData\Local\Temp\4BD.tmp
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll,??4_Init_locks@std@@QAEAAV01@ABV01@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll,DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Users\user\AppData\Local\Temp\27D5.tmp C:\Users\user\AppData\Local\Temp\27D5.tmp
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll,??0_Mutex@std@@QAE@W4_Uninitialized@1@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll,??4_Init_locks@std@@QAEAAV01@ABV01@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll,DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Users\user\AppData\Local\Temp\27D5.tmp C:\Users\user\AppData\Local\Temp\27D5.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Users\user\AppData\Local\Temp\4BD.tmp C:\Users\user\AppData\Local\Temp\4BD.tmp	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Section loaded: sfc_os.dll	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjava\java.pdb source: java.dll.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.10.dr
Source:	Binary string: D:\T\BuildResults\bin\Release\AcroPDF.pdb source: AcroPDF.dll.10.dr
Source:	Binary string: PDFPrevHndlr.pdb source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll
Source:	Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\\mfc140u.i386.pdb source: mfc140u.dll0.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.10.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsdt\jsdt.pdb source: jsdt.dll.10.dr
Source:	Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\\mfc140u.i386.pdbGCTL source: mfc140u.dll0.10.dr
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.10.dr
Source:	Binary string: MicrosoftEdgeUpdateCore_unsigned.pdb source: MicrosoftEdgeUpdateCore.exe.10.dr
Source:	Binary string: r.pdb source: AppSharingHookController.exe.10.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\win_clang_x86\ie_to_edge_bho.dll.pdb source: ie_to_edge_bho.dll.10.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\win_clang_x86\ie_to_edge_bho.dll.pdbOGP source: ie_to_edge_bho.dll.10.dr
Source:	Binary string: D:\a\1\s\bins\release\x86\file\pdf_only\mip_pdf_sdk.pdb source: mip_pdf_sdk.dll.10.dr
Source:	Binary string: MicrosoftEdgeUpdateCore_unsigned.pdbd source: MicrosoftEdgeUpdateCore.exe.10.dr

Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: AppVLP.exe.10.dr

Static PE information: 0x6D071FC2 [Sun Dec 19 02:30:26 2027 UTC]

Source: C:\Users\user\AppData\Local\Temp\4BD.tmp

Code function: 7_2_00581250 LoadLibraryW,GetProcAddress,

7_2_00581250

Source: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll	Static PE information: section name: .orpc
Source: msedgeupdate.dll.10.dr	Static PE information: section name: .didat
Source: AppVLP.exe.10.dr	Static PE information: section name: .c2r
Source: excelcnv.exe.10.dr	Static PE information: section name: .detourc
Source: excelcnv.exe.10.dr	Static PE information: section name: .c2r
Source: mfc140u.dll.10.dr	Static PE information: section name: .didat
Source: JitV.dll.10.dr	Static PE information: section name: .detourc
Source: OneDriveSetup.exe.10.dr	Static PE information: section name: .didat
Source: MpDetoursCopyAccelerator.dll.10.dr	Static PE information: section name: .detourc
Source: MpDetoursCopyAccelerator.dll.10.dr	Static PE information: section name: .detourd
Source: AppSharingHookController.exe.10.dr	Static PE information: section name: .c2r
Source: MpDetours.dll.10.dr	Static PE information: section name: .detourc
Source: MpDetours.dll.10.dr	Static PE information: section name: .detourd
Source: MpDetoursCopyAccelerator.dll0.10.dr	Static PE information: section name: .detourc
Source: MpDetoursCopyAccelerator.dll0.10.dr	Static PE information: section name: .detourd
Source: lync.exe.10.dr	Static PE information: section name: .c2r
Source: lync99.exe.10.dr	Static PE information: section name: .c2r
Source: mce.dll.10.dr	Static PE information: section name: .orpc
Source: mfc140u.dll0.10.dr	Static PE information: section name: .didat
Source: VC_redist.x64.exe.10.dr	Static PE information: section name: .wixburn
Source: mip_pdf_sdk.dll.10.dr	Static PE information: section name: .didat
Source: MpDetours.dll0.10.dr	Static PE information: section name: .detourc
Source: MpDetours.dll0.10.dr	Static PE information: section name: .detourd
Source: AGM.dll.10.dr	Static PE information: section name: .didat
Source: msoadfsb.exe.10.dr	Static PE information: section name: .detourc
Source: msoadfsb.exe.10.dr	Static PE information: section name: .c2r
Source: Acrobat.exe.10.dr	Static PE information: section name: .didat
Source: AcroPDFImpl.dll.10.dr	Static PE information: section name: .orpc
Source: AppvIsvSubsystems32.dll.10.dr	Static PE information: section name: .mrdata
Source: AppvIsvSubsystems32.dll.10.dr	Static PE information: section name: .detourd
Source: AppvIsvSubsystems32.dll.10.dr	Static PE information: section name: .detourc
Source: AppvIsvSubsystems32.dll.10.dr	Static PE information: section name: .c2r
Source: AutoItX3.dll.10.dr	Static PE information: section name: .orpc

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll

Source: msvcr120.dll.10.dr	Static PE information: section name: .text entropy: 6.966904608417823
Source: pidgenx.dll.10.dr	Static PE information: section name: .text entropy: 6.826444727001932
Source: pidgenx.dll0.10.dr	Static PE information: section name: .text entropy: 6.82784970567938

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\ACE.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AGM.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AIDE.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIB.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIBUtils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat32OL.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File written: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File written: C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mce_office.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPST32.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\JitV.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSAEXP30.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\OUTLVBA.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\gstreamer-lite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\msedgeupdate.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\onmain.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VVIEWER.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SHAREPOINTPROVIDER.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocpptview.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\EBWebView\x86\EmbeddedBrowserWebView.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DLGSETP.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SOCIALCONNECTOR.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\RECALL.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpDetours.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLMAPI32.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSPUB.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLKFSTUB.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\UmOutlookAddin.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EntityPicker.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\protocolhandler.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OIMG.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\splashscreen.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OutlookWebHost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Psom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\deployJava1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AGM.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OMICAUT.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Appshapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_bho.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\glib-lite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jdwp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PUBCONV.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPCORE.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AIDE.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AutoHelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\appshvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mce.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetours.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\cpprestsdk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mip_pdf_sdk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\ACE.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocimport.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\plugin2\npjp2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office15\pidgenx.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\eula.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpDetoursCopyAccelerator.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Uc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIANEXT.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SEQCHK10.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSRTEDIT.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\goopdate.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Tec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Cpprest141_2_10.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2ssv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\concrt140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OWSSUPP.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OsfTaskuser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\STSCOPY.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SOA.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\MSVCR71.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\hprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLVBS.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WWLIB.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSPECTRE.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAME.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_bho.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEAWSDC.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\roottools.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EMSMDB32.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIA.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACEDAO.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXSEC32.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONFILTER.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\concrt140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\v8jsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\RTC.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\EBWebView\x86\EmbeddedBrowserWebView.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Win32MsgQueue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat32OL.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PSTPRX32.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLFLTR.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\1033\XLSLICER.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2iexp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\scdec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcOffice.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLCTL.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\msvcr120.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLPH.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MAPIPH.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ocrec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIBUtils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msvcr110.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VVIEWDWG.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\atl110.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\mfc140u.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\deploy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\appsharingmediaprovider.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\management.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIB.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller\pidgenx.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeFileLinkHandlingComponent.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MeetingJoinAxOC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\mfc140u.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\mce_office.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\JitV.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSAEXP30.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\msedgeupdate.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\gstreamer-lite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DLGSETP.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\EBWebView\x86\EmbeddedBrowserWebView.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpDetours.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jli.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\wsdetect.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EntityPicker.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\splashscreen.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\1C3C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\deployJava1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AGM.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Appshapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lyncDesktopViewModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssv.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_bho.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\glib-lite.dll	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	File created: C:\Users\user\AppData\Local\Temp\27D5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jdwp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\4DC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AIDE.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AutoHelper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MIMEDIR.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\appshvw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\mce.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetours.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\cpprestsdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\mip_pdf_sdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\ACE.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\plugin2\npjp2.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exe	File created: C:\Users\user\AppData\Local\Temp\4BD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office15\pidgenx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\eula.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Users\user\AppData\Local\Temp\wct425E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\7-Zip\7zCon.sfx	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIANEXT.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\goopdate.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Cpprest141_2_10.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Client\concrt140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2ssv.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\hprof.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSPECTRE.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\7-Zip\7z.sfx	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEAWSDC.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jfxwebkit.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_bho.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EMSMDB32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIA.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACEDAO.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXSEC32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\appshcom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\concrt140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\EBWebView\x86\EmbeddedBrowserWebView.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cpl	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\4BE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat32OL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javafx_font.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2iexp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MLCFG32.CPL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Client\msvcr120.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MAPIPH.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIBUtils.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\atl110.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Client\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\deploy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jsdt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\appsharingmediaprovider.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\1084.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\management.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIB.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller\pidgenx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MeetingJoinAxOC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CONTAB32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\mfc140u.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpDetours.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetours.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\7-Zip\7z.sfx	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files\7-Zip\7zCon.sfx	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MLCFG32.CPL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cpl	Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00ED7A9B rdtsc

0_2_00ED7A9B

Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\mce_office.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSAEXP30.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\JitV.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\gstreamer-lite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\msedgeupdate.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\EBWebView\x86\EmbeddedBrowserWebView.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DLGSETP.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpDetours.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jli.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\wsdetect.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EntityPicker.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\splashscreen.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\deployJava1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AGM.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Appshapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lyncDesktopViewModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssv.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_bho.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\glib-lite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jdwp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\AIDE.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AutoHelper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MIMEDIR.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\appshvw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\mce.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetours.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\cpprestsdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\mip_pdf_sdk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\ACE.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\plugin2\npjp2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office15\pidgenx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\eula.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wct425E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zCon.sfx	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIANEXT.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\goopdate.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Cpprest141_2_10.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2ssv.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\concrt140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\hprof.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSPECTRE.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.sfx	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jfxwebkit.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEAWSDC.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_bho.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EMSMDB32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOARIA.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACEDAO.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXSEC32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\concrt140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\appshcom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\EBWebView\x86\EmbeddedBrowserWebView.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cpl	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat32OL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javafx_font.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2iexp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MLCFG32.CPL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\msvcr120.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MAPIPH.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIBUtils.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\atl110.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jsdt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\deploy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\appsharingmediaprovider.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\management.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\BIB.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller\pidgenx.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MeetingJoinAxOC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CONTAB32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27D5.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\mfc140u.dll	Jump to dropped file

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\4BD.tmp	Code function: 7_2_00581480 _snwprintf,FindFirstFileW,wcscmp,wcscmp,_snwprintf,FindNextFileW,FindClose,		7_2_00581480
Source: C:\Users\user\AppData\Local\Temp\4BD.tmp	Code function: 7_2_005813A0 _snwprintf,FindFirstFileW,wcscmp,wcscmp,_snwprintf,FindNextFileW,FindClose,		7_2_005813A0

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rervice/files/695adaa3-a126-4578-ae8b-db6b0fdec214?P1=1696330670&P2=404&P3=2&P4=PJKFhfvDSFtuPU98VU0a4epl24HdgPbwPuEePI8%2b%2fAVMcInTmG4yVPxEkwAVfvJmiIHa50crFXEpnRMylsKVxQ%3d%3d
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA 3D
Source: 27D5.tmp, 0000000A.00000003.2422799789.0000000001476000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:11:26.031][MicrosoftEdgeUpdate:msedgeupdate][6164:6168][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appBrandCode_edgeupdate=INBX&appBrandCode_webview=GGLS&appChannel_edgeupdate=6&appChannel_webview=5&appCohort_edgeupdate=rrf@0.24&appCohort_webview=rrf@0.75&appConsentState_edgeupdate=0&appConsentState_webview=0&appDayOfInstall_edgeupdate=0&appDayOfInstall_webview=6118&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeApplied_webview=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeCleared_webview=0&appInactivityBadgeDuration_edgeupdate=0&appInactivityBadgeDuration_webview=0&appInstallTimeDiffSec_edgeupdate=0&appInstallTimeDiffSec_webview=0&appIsPinnedSystem_edgeupdate=false&appIsPinnedSystem_webview=false&appLastLaunchCount_edgeupdate=0&appLastLaunchCount_webview=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appLastLaunchTime_webview=0&appLastLaunchTimeJson_webview=0&appLastLaunchTimeDaysAgo_webview=0&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdateCheckIsUpdateDisabled_webview=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_webview=false&appVersion_edgeupdate=1.3.177.11&appVersion_webview=117.0.2045.47&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=scheduler&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.177.11][request=][filename=]
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: 27D5.tmp, 0000000A.00000003.2422799789.0000000001476000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 08:56:22.600][MicrosoftEdgeUpdate:msedgeupdate][3356:4472][Send][url=https://msedge.api.cdp.microsoft.com/api/v1.1/contents/Browser/namespaces/Default/names/msedgeupdate-stable-win-x86/versions/latest?action=select][request={"targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"1","AppRollout":0.96,"AppTargetVersionPrefix":"","AppVersion":"1.3.147.37","ExpETag":"\"VPQoP1F+fq15wRzh1kPL4PMpWh8ORMB5izvrOC/chjQ=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"core","IsInternalUser":false,"IsMachine":true,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.147.37"}}][filename=]
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000002636000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ccfa8ae1-3de7-46d7-a897-c8207e181b43?P1=1696331535&P2=404&P3=2&P4=U8tzlcVfvHbbpzMhxhgfsYXulfoiioa29F3hehhyrCbftohxlbYl06533b74%2bCdr0%2fjxlaNwreG6WuH1JeIX6A%3d%3d
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/92efd6f4-8322-4237-8676-c498f46420f6?P1=1696330670&P2=404&P3=2&P4=cuX7wzuk9OCho1MFW6XYQnRjDDOwrNnf4W%2fXMkZf2%2fPluwjwuLs6HvXCUAbHGFSD%2f3P%2bQgjF1fwsJZ%2fz9aZ6vg%3d%3d
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/20d45cc7-51ee-49e7-8b86-18633ee45c13?P1=1696330710&P2=404&P3=2&P4=F%2bab8IJ6wchgfsHlNt88m2M1RoXAnvX0idxnL5ev7mENUJ9KMhTKopHXGF1UbmGa9g8R7WLosY1p7UFH8xse1A%3d%3d
Source: 27D5.tmp, 0000000A.00000003.2422799789.0000000001476000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:06:04.175][MicrosoftEdgeUpdate:msedgeupdate][8536:732][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appChannel_webview=5&appConsentState_webview=0&appDayOfInstall_webview=-1&appInactivityBadgeApplied_webview=0&appInactivityBadgeCleared_webview=0&appInactivityBadgeDuration_webview=0&appInstallTimeDiffSec_webview=-86400&appIsPinnedSystem_webview=false&appLastLaunchCount_webview=0&appLastLaunchTime_webview=0&appLastLaunchTimeJson_webview=0&appLastLaunchTimeDaysAgo_webview=0&appVersion_webview=117.0.2045.47&appUpdateCheckIsUpdateDisabled_webview=false&appUpdatesAllowedForMeteredNetworks_webview=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.177.11][request=][filename=]
Source: 27D5.tmp, 0000000A.00000003.2422799789.0000000001476000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 08:56:35.318][MicrosoftEdgeUpdate:msedgeupdate][4092:4100][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.147.37?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appBrandCode_stable=INBX&appChannel_stable=4&appConsentState_stable=0&appDayOfInstall_stable=0&appInstallTimeDiffSec_stable=0&appLastLaunchTime_stable=0&appUpdateCheckIsUpdateDisabled_stable=false&appVersion_stable=92.0.902.67&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osPlatform=win&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=core&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.147.37][request=][filename=]
Source: 27D5.tmp, 0000000A.00000003.2422799789.0000000001476000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:05:09.866][MicrosoftEdgeUpdate:msedgeupdate][1336:8952][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appChannel_edgeupdate=6&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=0&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=0&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.177.11&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.177.11][request=][filename=]
Source: 27D5.tmp, 0000000A.00000003.2422799789.0000000001476000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/05/23 08:22:44.675][MicrosoftEdgeUpdate:msedgeupdate][9612:9436][Send][url=https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A&appBrandCode_edgeupdate=INBX&appBrandCode_stable=INBX&appBrandCode_webview=GGLS&appChannel_edgeupdate=6&appChannel_stable=4&appChannel_webview=5&appCohort_edgeupdate=rrf@0.24&appCohort_webview=rrf@0.75&appConsentState_edgeupdate=0&appConsentState_stable=0&appConsentState_webview=0&appDayOfInstall_edgeupdate=0&appDayOfInstall_stable=0&appDayOfInstall_webview=6118&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeApplied_stable=0&appInactivityBadgeApplied_webview=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeCleared_stable=0&appInactivityBadgeCleared_webview=0&appInactivityBadgeDuration_edgeupdate=0&appInactivityBadgeDuration_stable=0&appInactivityBadgeDuration_webview=0&appInstallTimeDiffSec_edgeupdate=86400&appInstallTimeDiffSec_stable=0&appInstallTimeDiffSec_webview=86400&appIsPinnedSystem_edgeupdate=false&appIsPinnedSystem_stable=false&appIsPinnedSystem_webview=false&appLastLaunchCount_edgeupdate=0&appLastLaunchCount_stable=1&appLastLaunchCount_webview=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appLastLaunchTime_stable=13340960379323595&appLastLaunchTimeJson_stable=2023-10-05t06:19:39.323z&appLastLaunchTimeDaysAgo_stable=0&appLastLaunchTime_webview=0&appLastLaunchTimeJson_webview=0&appLastLaunchTimeDaysAgo_webview=0&appVersion_stable=117.0.2045.55&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdateCheckIsUpdateDisabled_stable=false&appUpdateCheckIsUpdateDisabled_webview=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_stable=false&appUpdatesAllowedForMeteredNetworks_webview=false&appVersion_edgeupdate=1.3.177.11&appVersion_webview=117.0.2045.47&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=2&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=VMware,%20Inc.&oemProductName=VMware20,1&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.2006&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=scheduler&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.177.11][request=][filename=]
Source: 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;VMware, Inc. Display driver update released in April 2023Fhttp://schemas.microsoft.com/msus/2002/12/UpdateHandlers/WindowsDriver/http://support.microsoft.com/select/?target=hub!VMware, Inc. - Display - 9.17.6.3
Source: 27D5.tmp, 0000000A.00000003.2422799789.0000000001476000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:05:10.568][MicrosoftEdgeUpdate:msedgeupdate][4796:8636][Send][url=https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates][request=[{"Product":"msedgewebview-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"","AppRollout":0.63,"AppTargetVersionPrefix":"","AppVersion":"","ExpETag":"\"VPQoP1F+fq15wRzh1kPL4PMpWh8ORMB5izvrOC/chjQ=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"otherinstallcmd","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":10,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}}]][filename=]
Source: 27D5.tmp, 0000000A.00000003.2422799789.0000000001476000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/05/23 08:21:22.527][MicrosoftEdgeUpdate:msedgeupdate][10084:4916][Send][url=https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates][request=[{"Product":"msedgeupdate-stable-win-x86","targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"rrf@0.24","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"1","AppRollout":0.24,"AppTargetVersionPrefix":"","AppVersion":"1.3.177.11","ExpETag":"\"VPQoP1F+fq15wRzh1kPL4PMpWh8ORMB5izvrOC/chjQ=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}},{"Product":"msedge-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"117","AppRollout":0.04,"AppTargetVersionPrefix":"","AppVersion":"117.0.2045.47","ExpETag":"\"VPQoP1F+fq15wRzh1kPL4PMpWh8ORMB5izvrOC/chjQ=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}},{"Product":"msedgewebview-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"GGLS","AppCohort":"rrf@0.75","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"117","AppRollout":0.75,"AppTargetVersionPrefix":"","AppVersion":"117.0.2045.47","ExpETag":"\"VPQoP1F+fq15wRzh1kPL4PMpWh8ORMB5izvrOC/chjQ=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}}]][filename=]
Source: 27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/2cd574c7-7f95-40ca-bf8e-0672877775b0?P1=1696331535&P2=404&P3=2&P4=DkYxDLYasZlIhhX63a0yDBM0tM%2bS4ze09HM%2fq6Lbn5hmJ7in%2b1CYq3Ql6GyQEmUvNHa7Ll20zSt66HLJpPgftQ%3d%3d
Source: 27D5.tmp, 0000000A.00000003.2422799789.0000000001476000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10/03/23 13:10:48.035][MicrosoftEdgeUpdate:msedgeupdate][4220:5516][Send][url=https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates][request=[{"Product":"msedgeupdate-stable-win-x86","targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"1","AppRollout":0.72,"AppTargetVersionPrefix":"","AppVersion":"1.3.177.11","ExpETag":"\"qWJSzWwPfdcLR+XGIv6xrZfiYOxhPU2s1NWmjWcaFPg=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}},{"Product":"msedge-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"INBX","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"92","AppRollout":0.65,"AppTargetVersionPrefix":"","AppVersion":"92.0.902.67","ExpETag":"\"qWJSzWwPfdcLR+XGIv6xrZfiYOxhPU2s1NWmjWcaFPg=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}},{"Product":"msedgewebview-stable-win-x64","targetingAttributes":{"AppAp":"","AppBrandCode":"GGLS","AppCohort":"","AppCohortHint":"","AppCohortName":"","AppLang":"","AppMajorVersion":"117","AppRollout":0.6,"AppTargetVersionPrefix":"","AppVersion":"117.0.2045.47","ExpETag":"\"qWJSzWwPfdcLR+XGIv6xrZfiYOxhPU2s1NWmjWcaFPg=\"","HW_AVX":true,"HW_DiskType":2,"HW_LogicalCpus":2,"HW_PhysicalRamGB":4,"HW_SSE":true,"HW_SSE2":true,"HW_SSE3":true,"HW_SSE41":true,"HW_SSE42":true,"HW_SSSE3":true,"InstallSource":"scheduler","IsInternalUser":false,"IsMachine":true,"IsWIP":false,"OemProductManufacturer":"VMware, Inc.","OemProductName":"VMware20,1","OsArch":"x64","OsPlatform":"win","OsRegionDMA":false,"OsRegionName":"CH","OsRegionNation":"223","OsVersion":"10.0.19045.2006","Priority":0,"Updater":"MicrosoftEdgeUpdate","UpdaterVersion":"1.3.177.11","WIPBranch":""}}]][filename=]

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00ED7A9B rdtsc

0_2_00ED7A9B

Source: C:\Users\user\AppData\Local\Temp\4BD.tmp

Code function: 7_2_00581250 LoadLibraryW,GetProcAddress,

7_2_00581250

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ED48E4 mov eax, dword ptr fs:[00000030h]	0_2_00ED48E4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EDA4BB mov eax, dword ptr fs:[00000030h]	0_2_00EDA4BB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00A4A4BB mov eax, dword ptr fs:[00000030h]	4_2_00A4A4BB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00A448E4 mov eax, dword ptr fs:[00000030h]	4_2_00A448E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02D948E4 mov eax, dword ptr fs:[00000030h]	5_2_02D948E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_02D9A4BB mov eax, dword ptr fs:[00000030h]	5_2_02D9A4BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00BFA4BB mov eax, dword ptr fs:[00000030h]	6_2_00BFA4BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00BF48E4 mov eax, dword ptr fs:[00000030h]	6_2_00BF48E4
Source: C:\Users\user\AppData\Local\Temp\4BD.tmp	Code function: 7_2_00583FD0 mov eax, dword ptr fs:[00000030h]	7_2_00583FD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0313A4BB mov eax, dword ptr fs:[00000030h]	8_2_0313A4BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_031348E4 mov eax, dword ptr fs:[00000030h]	8_2_031348E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0318A4BB mov eax, dword ptr fs:[00000030h]	9_2_0318A4BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_031848E4 mov eax, dword ptr fs:[00000030h]	9_2_031848E4

Source: C:\Users\user\AppData\Local\Temp\4BD.tmp

Code function: 7_2_00581040 GetProcessHeap,HeapReAlloc,

7_2_00581040

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Masquerading	OS Credential Dumping	21 Security Software Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Regsvr32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll	61%	ReversingLabs	Win32.Trojan.MintZard

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Avira	HEUR/AGEN.1363959
C:\Program Files (x86)\Java\jre-1.8\bin\java.dll	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.cpl	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\j2pkcs11.dll	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\glib-lite.dll	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\j2gss.dll	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\gstreamer-lite.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://bugreport.sun.com/bugreport/	0%	URL Reputation	safe
http://java.oracle.com/	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV21C:	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2.C:	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://g.live.com/odclientsettings/Prod.C:	0%	URL Reputation	safe
https://g.live.com/odclientsettings/Prod1C:	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	0%	URL Reputation	safe
http://relaxng.org/ns/structure/1.0	0%	URL Reputation	safe
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	0%	URL Reputation	safe
https://syncservice.o365syncservice.com/https://login.windows.net/commondataservice.protection.outlo	0%	Avira URL Cloud	safe
http://tlu.dl.delivery.mp.mi	0%	Avira URL Cloud	safe
http://tlu.dl.de	0%	Avira URL Cloud	safe
https://syncservice.o365syncservice.com/	0%	Avira URL Cloud	safe
https://login.microsoftonline.us/common	0%	Avira URL Cloud	safe
http://tlu.dl.delivery.mp.microsoft.8com/filestreamingservice/files/1e08863d-491b-4609-a0f8-bd8fb8ab	0%	Avira URL Cloud	safe
https://login.chinacloudapi.cn/common	0%	Avira URL Cloud	safe
http://java.oracle.com/java.vendor.url.bughttp://bugreport.sun.com/bugreport/%d.%djava.class.version	0%	Avira URL Cloud	safe
https://login.windows.net/common	0%	Avira URL Cloud	safe
http://tlu.dl.delivery	0%	Avira URL Cloud	safe
http://tlu.dl.	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/	0%	Avira URL Cloud	safe
http://tlu.dl.delivery.mp.micr	0%	Avira URL Cloud	safe
http://tlu.dl.delivery.mp.micrBosoft.com/filestreamingservice/files/e5fd51e1-714d-4a9f-ad84-b9c7c9da	0%	Avira URL Cloud	safe
http://tlu.dl.delivery.mp.micraosoft.com/filestreamingservice/files/a730fbc0-b3e6-42bf-9776-5c1a9503	0%	Avira URL Cloud	safe
http://tlu.dl.delivery.mp.microsoft.coEm/filestreamingservice/files/17a1f764-1e22-4005-ad95-0bc97022	0%	Avira URL Cloud	safe
https://login.microsoftonline.de/common	100%	Avira URL Cloud	phishing
http://tlu.dl.delivery.mp.micros5oft.com/filestreamingservice/files/621f41c6-598e-4516-bb23-be21d146	0%	Avira URL Cloud	safe
https://api.Unsupported	0%	Avira URL Cloud	safe
http://aka.ms/aippdf)	0%	Avira URL Cloud	safe
http://tlu.dl.delivery.mp.microsLoft.com/filestreamingservice/files/ae12b07d-3012-4812-92a3-bdc1df33	0%	Avira URL Cloud	safe
http://tlu.dl.delivery.m	0%	Avira URL Cloud	safe
http://tlu.dl.delive	0%	Avira URL Cloud	safe
http://tlu.dl.delivery.mp.microsoft.co	0%	Avira URL Cloud	safe
http://tlu.dl.delivery.mp.micros	0%	Avira URL Cloud	safe
https://login.microsoftonline.microsoft.scloud/common	100%	Avira URL Cloud	phishing
http://tlu.dl.deli	0%	Avira URL Cloud	safe
http://tlu.dl.delivery.mp.microsoft.	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/8	0%	Avira URL Cloud	safe
http://download.windowsup	0%	Avira URL Cloud	safe
https://login.microsoftonline.eaglex.ic.gov/common	0%	Avira URL Cloud	safe
http://tlu.d	0%	Avira URL Cloud	safe
http://tlu.dl.delivery.mp.microsof	0%	Avira URL Cloud	safe
http://tlu.dl.delivery.mp.	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://tlu.dl.de	27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.windows.net/common	mip_pdf_sdk.dll.10.dr	false	Avira URL Cloud: safe	unknown
https://syncservice.o365syncservice.com/	mip_pdf_sdk.dll.10.dr	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.us/common	mip_pdf_sdk.dll.10.dr	false	Avira URL Cloud: safe	unknown
http://java.oracle.com/java.vendor.url.bughttp://bugreport.sun.com/bugreport/%d.%djava.class.version	java.dll.10.dr	false	Avira URL Cloud: safe	unknown
http://tlu.dl.delivery.mp.mi	27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bugreport.sun.com/bugreport/	java.dll.10.dr	false	URL Reputation: safe	unknown
https://login.chinacloudapi.cn/common	mip_pdf_sdk.dll.10.dr	false	Avira URL Cloud: safe	unknown
http://java.oracle.com/	java.dll.10.dr	false	URL Reputation: safe	unknown
http://tlu.dl.delivery.mp.microsoft.8com/filestreamingservice/files/1e08863d-491b-4609-a0f8-bd8fb8ab	27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV21C:	27D5.tmp, 0000000A.00000003.2417891518.0000000001C33000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2422986086.0000000001C31000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://syncservice.o365syncservice.com/https://login.windows.net/commondataservice.protection.outlo	mip_pdf_sdk.dll.10.dr	false	Avira URL Cloud: safe	unknown
http://tlu.dl.delivery	27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	27D5.tmp, 0000000A.00000003.2423215058.0000000001CD9000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2423215058.0000000001D2A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2423215058.0000000001CF8000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2432933050.0000000001D20000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tlu.dl.	27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tlu.dl.delivery.mp.micrBosoft.com/filestreamingservice/files/e5fd51e1-714d-4a9f-ad84-b9c7c9da	27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	helper.exe.10.dr	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/	Aut2exe.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://tlu.dl.delivery.mp.micr	27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000002636000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tlu.dl.delivery.mp.micraosoft.com/filestreamingservice/files/a730fbc0-b3e6-42bf-9776-5c1a9503	27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tlu.dl.delivery.mp.micros5oft.com/filestreamingservice/files/621f41c6-598e-4516-bb23-be21d146	27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tlu.dl.delivery.mp.microsoft.coEm/filestreamingservice/files/17a1f764-1e22-4005-ad95-0bc97022	27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.de/common	mip_pdf_sdk.dll.10.dr	false	Avira URL Cloud: phishing	unknown
http://aka.ms/aippdf)	mip_pdf_sdk.dll.10.dr	false	Avira URL Cloud: safe	unknown
https://api.Unsupported	mip_pdf_sdk.dll.10.dr	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod.C:	27D5.tmp, 0000000A.00000003.2432933050.0000000001CAA000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2432933050.0000000001C46000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tlu.dl.delivery.mp.microsLoft.com/filestreamingservice/files/ae12b07d-3012-4812-92a3-bdc1df33	27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tlu.dl.delivery.m	27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod1C:	27D5.tmp, 0000000A.00000003.2418094648.0000000001CBB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tlu.dl.delive	27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tlu.dl.delivery.mp.microsoft.co	27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2	27D5.tmp, 0000000A.00000003.2423215058.0000000001CF8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tlu.dl.delivery.mp.micros	27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	27D5.tmp, 0000000A.00000003.2423215058.0000000001CF8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.microsoft.scloud/common	mip_pdf_sdk.dll.10.dr	false	Avira URL Cloud: phishing	unknown
http://tlu.dl.deli	27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tlu.dl.delivery.mp.microsoft.	27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://download.windowsup	27D5.tmp, 0000000A.00000003.2430125614.0000000001C3A000.00000004.00000020.00020000.00000000.sdmp, 27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/8	Aut2exe.exe.10.dr	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.eaglex.ic.gov/common	mip_pdf_sdk.dll.10.dr	false	Avira URL Cloud: safe	unknown
http://relaxng.org/ns/structure/1.0	mip_pdf_sdk.dll.10.dr	false	URL Reputation: safe	unknown
http://tlu.dl.delivery.mp.microsof	27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tlu.d	27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	27D5.tmp, 0000000A.00000003.2423215058.0000000001CF8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tlu.dl.delivery.mp.	27D5.tmp, 0000000A.00000003.2420071076.0000000001C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446231
Start date and time:	2024-05-23 01:30:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll
Detection:	MAL
Classification:	mal80.spre.winDLL@18/128@0/0
EGA Information:	Successful, ratio: 85.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 18 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 4BD.tmp, PID 7108 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtReadFile calls found.
VT rate limit hit for: SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll

Simulations

Behavior and APIs

Time	Type	Description
19:31:35	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Process:	C:\Users\user\AppData\Local\Temp\27D5.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1944576
Entropy (8bit):	7.602126172068485
Encrypted:	false
SSDEEP:	24576:dYriSFmzimpMgKe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+s4ZY7PkFupr2v:dy9un9KkSR7Xgo4TiRPnLWvJ1rpr2v
MD5:	954B31F3C7A403A8C90AFBD370E4B1E1
SHA1:	75080C3E72C2F80699C18C825CDEF223DB09885B
SHA-256:	84FD1E73D0D387B4EB7FDC5FACB4D6D8BF25F5E9D1B858873CDB44E3EF009493
SHA-512:	BCEDF64015E9A693C0E71728BF7A390090CD45FC4C68ACA45F66E0588E65070084DD6ED3E745EFB646FE758A8E89DFF503EEF03F7136323788275C5DFE474087
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5...........................D......T...........H......H.8.....P....H......Rich...................PE..L.....(c..........#..................d............@.................................%................................................p..X...............................p...............................@...............X............................text.............................. ..`.rdata..$H.......J..................@..@.data....@... ......................@....rsrc........p......................@..@................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	148480
Entropy (8bit):	7.821341850557137
Encrypted:	false
SSDEEP:	3072:V2V6THkukqCStAK0GfqUeQwIReaOIZEKbQy3416w3JxxP:VDHzunLajE4QyhEt
MD5:	C610E7CCD6859872C585B2A85D7DC992
SHA1:	362B3D4B72E3ADD687C209C79B500B7C6A246D46
SHA-256:	14063FC61DC71B9881D75E93A587C27A6DAF8779FF5255A24A042BEACE541041
SHA-512:	8570AAD2AE8B5DCBA00FC5EBF3DC0EA117E96CC88A83FEBD820C5811BF617A6431C1367B3EB88332F43F80B30EBE2C298C22DCC44860A075F7B41BF350236666
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P6?.1Xl.1Xl.1Xl1F.l.1Xl.1Yl.1Xl.>.l.1Xl..l.1Xl..l.1XlRich.1Xl................PE..L.....d.................p.......... B............@..........................p............@.................................4...<............................`.......................................................................................text....n.......p.................. ..`.rdata...............t..............@..@.data................z..............@....reloc.......`.......@..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\loaddll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	148480
Entropy (8bit):	7.821341850557137
Encrypted:	false
SSDEEP:	3072:V2V6THkukqCStAK0GfqUeQwIReaOIZEKbQy3416w3JxxP:VDHzunLajE4QyhEt
MD5:	C610E7CCD6859872C585B2A85D7DC992
SHA1:	362B3D4B72E3ADD687C209C79B500B7C6A246D46
SHA-256:	14063FC61DC71B9881D75E93A587C27A6DAF8779FF5255A24A042BEACE541041
SHA-512:	8570AAD2AE8B5DCBA00FC5EBF3DC0EA117E96CC88A83FEBD820C5811BF617A6431C1367B3EB88332F43F80B30EBE2C298C22DCC44860A075F7B41BF350236666
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P6?.1Xl.1Xl.1Xl1F.l.1Xl.1Yl.1Xl.>.l.1Xl..l.1Xl..l.1XlRich.1Xl................PE..L.....d.................p.......... B............@..........................p............@.................................4...<............................`.......................................................................................text....n.......p.................. ..`.rdata...............t..............@..@.data................z..............@....reloc.......`.......@..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	148480
Entropy (8bit):	7.821341850557137
Encrypted:	false
SSDEEP:	3072:V2V6THkukqCStAK0GfqUeQwIReaOIZEKbQy3416w3JxxP:VDHzunLajE4QyhEt
MD5:	C610E7CCD6859872C585B2A85D7DC992
SHA1:	362B3D4B72E3ADD687C209C79B500B7C6A246D46
SHA-256:	14063FC61DC71B9881D75E93A587C27A6DAF8779FF5255A24A042BEACE541041
SHA-512:	8570AAD2AE8B5DCBA00FC5EBF3DC0EA117E96CC88A83FEBD820C5811BF617A6431C1367B3EB88332F43F80B30EBE2C298C22DCC44860A075F7B41BF350236666
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P6?.1Xl.1Xl.1Xl1F.l.1Xl.1Yl.1Xl.>.l.1Xl..l.1Xl..l.1XlRich.1Xl................PE..L.....d.................p.......... B............@..........................p............@.................................4...<............................`.......................................................................................text....n.......p.................. ..`.rdata...............t..............@..@.data................z..............@....reloc.......`.......@..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.613100255842971
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 75.67% DirectShow filter (201580/2) 15.22% Windows ActiveX control (116523/4) 8.80% Generic Win/DOS Executable (2004/3) 0.15% DOS Executable Generic (2002/1) 0.15%
File name:	SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll
File size:	334'848 bytes
MD5:	0c30edd3251f1b2c9a60c16d8b543914
SHA1:	6473905dbc9ce63ffdf8c3ce82c8e564fa5d2cd7
SHA256:	78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60
SHA512:	fd3c9e3f4c4dd850944e2c9fa33008f0468dd88f95dba21b14499b626933aef6c460b36388288e653dc6d2bbdd1fcd9b9397bd259a572c00b6090ebbbb8e15b9
SSDEEP:	6144:paatUssGoOB/9+FAqE6VoZpdpwUlVioY0bIiL5VXyK6uHOD0:pa2shOqoZpnVlV3lVX/f+0
TLSH:	7564DF4BF2C6E4BAE11D18F18C59A2B64F37FB28481D8A9B73068F7D9BB04E59C11744
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x.b.<...<...<.......=...'...8...'...8...5...>...5...3...<.......'.../...'...2...'...=...'...=...'...=...Rich<...........PE..L..

Entrypoint:	0x1000c05f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x518E9B56 [Sat May 11 19:26:14 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	2c5871fefdd4f4817183d3f5c0125cd4

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x13f20	0x10c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12668	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x2d40	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x19000	0x110c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xf3c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x108e8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf000	0x398	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc02d	0xc200	385999ae79a7393b782c2e0e463896a3	False	0.5731113079896907	data	6.435627276778073	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.orpc	0xe000	0x2d	0x200	ffaee44cea6968dcf2b3358cff6533e9	False	0.11328125	data	0.7939985549025844	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xf000	0x502c	0x5200	288a1d999d4e861f664b85a1ab8a4080	False	0.35113376524390244	SysEx File - Dynacord	4.897229972127989	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x15000	0xcb8	0xa00	c1014a5cc39d813d53e6f3760e260818	False	0.232421875	data	4.5565849591992045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x16000	0x2d40	0x2e00	a629d00a6b61f557fb3eb64bfbccf19a	False	0.38816236413043476	data	4.818907929288311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x19000	0x3d000	0x3ca00	5e1b886b0e7d1d40dd114d6ea1cba8fd	False	0.8730146585051546	data	7.789711294038774	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
REGISTRY	0x161cc	0x81	ASCII text, with CRLF line terminators	English	United States	0.7286821705426356
REGISTRY	0x16250	0x5c1	ASCII text, with CRLF line terminators	English	United States	0.37338764426340804
TYPELIB	0x16814	0x1fc4	data	English	United States	0.39805705853418594
RT_STRING	0x187d8	0x5e	data	English	United States	0.5851063829787234
RT_VERSION	0x18838	0x3ac	data	English	United States	0.43617021276595747
RT_MANIFEST	0x18be4	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

DLL	Import
version.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
kernel32.dll	CreateMutexW, DisconnectNamedPipe, ReadFile, ConnectNamedPipe, WaitForSingleObject, WriteFile, GetProcAddress, GetModuleHandleW, InitializeCriticalSection, CreateEventW, CreateThread, ResetEvent, LocalFree, CreateNamedPipeW, CloseHandle, GetCurrentProcessId, SetEvent, DeleteCriticalSection, OpenMutexW, Sleep, SetNamedPipeHandleState, lstrlenW, GetVolumeInformationW, GetTickCount, GetModuleHandleA, GetFileAttributesW, GetVersion, RaiseException, InitializeCriticalSectionAndSpinCount, lstrcmpiW, LoadLibraryW, SetLastError, GetModuleFileNameW, CallNamedPipeW, LoadLibraryExW, InterlockedIncrement, InterlockedDecrement, FreeLibrary, MultiByteToWideChar, SizeofResource, LoadResource, FindResourceW, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, ReleaseMutex, SetThreadLocale, GetThreadLocale, TerminateProcess, GlobalUnlock, GlobalLock, GlobalSize, FindClose, FindFirstFileW, FormatMessageW, CreateProcessW, SetCurrentDirectoryW, GetSystemDirectoryW, GetCurrentDirectoryW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, InterlockedCompareExchange, InterlockedExchange, DecodePointer, EncodePointer, GetLastError, WaitNamedPipeW, CreateFileW, GetVersionExW, LeaveCriticalSection, EnterCriticalSection, IsDebuggerPresent, QueryPerformanceCounter, GetCurrentThreadId, OutputDebugStringA, GetSystemTimeAsFileTime
USER32.dll	SetFocus, GetKeyState, GetFocus, SetParent, PostMessageW, GetParent, MsgWaitForMultipleObjects, DispatchMessageW, TranslateMessage, PeekMessageW, WaitForInputIdle, CopyRect, IsWindow, EqualRect, SetWindowPos, CharNextW, IsRectEmpty
ADVAPI32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, RegCreateKeyExW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryInfoKeyW, RegEnumKeyExW, RegQueryValueExW, RegOpenKeyExW
ole32.dll	CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree, StringFromGUID2, CoCreateInstance, GetHGlobalFromStream, CoMarshalInterface, CreateStreamOnHGlobal
OLEAUT32.dll	RegisterTypeLib, UnRegisterTypeLib, LoadTypeLib, SysAllocString, SysFreeString, SysStringLen, VarUI4FromStr
MSVCP100.dll	??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@H@Z, ??0?$basic_ios@GU?$char_traits@G@std@@@std@@IAE@XZ, ??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QAE@PAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z, ??1?$basic_ios@GU?$char_traits@G@std@@@std@@UAE@XZ, ??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAE@XZ, ??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UAE@XZ, ?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEPAGXZ, ?_BADOFF@std@@3_JB, ?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXH@Z, ?pbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXH@Z, ?gptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ, ?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEXABVlocale@2@@Z, ?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEHXZ, ?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEPAV12@PAG_J@Z, ?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAE_JPBG_J@Z, ?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAE_JPAG_J@Z, ?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEGXZ, ?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAE_JXZ, ?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UAEXXZ, ?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UAEXXZ, ??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UAE@XZ, ?pptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ, ?_Xlength_error@std@@YAXPBD@Z, ?_Xout_of_range@std@@YAXPBD@Z, ?clear@?$basic_ios@GU?$char_traits@G@std@@@std@@QAEXH_N@Z
MSVCR100.dll	srand, _time64, wcsrchr, _vsnwprintf, wcstok_s, _wtof, towlower, memmove_s, _wcsicmp, _wmakepath_s, _wsplitpath_s, _except_handler4_common, _unlock, __dllonexit, _lock, _onexit, __clean_type_info_names_internal, _crt_debugger_hook, ?_type_info_dtor_internal_method@type_info@@QAEXXZ, __CppXcptFilter, _amsg_exit, _initterm_e, _initterm, _encoded_null, _malloc_crt, rand, ?terminate@@YAXXZ, ??0exception@std@@QAE@ABQBD@Z, ?what@exception@std@@UBEPBDXZ, ??1exception@std@@UAE@XZ, ??3@YAXPAX@Z, memcpy, memmove, wcslen, memset, memcpy_s, ??2@YAPAXI@Z, _CxxThrowException, ??0exception@std@@QAE@ABV01@@Z, __CxxFrameHandler3, ??_V@YAXPAX@Z, memcmp, wcsstr, malloc, free, wcsncpy_s, _recalloc, _snwprintf_s, wcscpy_s, wcscat_s, swprintf_s, _wtol
RPCRT4.dll	CStdStubBuffer_AddRef, RpcStringFreeW, UuidCreate, UuidToStringW, NdrDllUnregisterProxy, NdrDllRegisterProxy, NdrCStdStubBuffer_Release, NdrDllCanUnloadNow, NdrDllGetClassObject, IUnknown_QueryInterface_Proxy, IUnknown_AddRef_Proxy, IUnknown_Release_Proxy, NdrOleAllocate, NdrOleFree, CStdStubBuffer_QueryInterface, CStdStubBuffer_Connect, CStdStubBuffer_Disconnect, CStdStubBuffer_Invoke, CStdStubBuffer_IsIIDSupported, CStdStubBuffer_DebugServerRelease, CStdStubBuffer_DebugServerQueryInterface, CStdStubBuffer_CountRefs

Name	Ordinal	Address
??0_Mutex@std@@QAE@W4_Uninitialized@1@@Z	1	0x1000b858
??4_Init_locks@std@@QAEAAV01@ABV01@@Z	2	0x1000b858
DllCanUnloadNow	3	0x1000815d
DllGetClassObject	4	0x10008cde
DllRegisterServer	5	0x10008ddb
DllUnregisterServer	6	0x10008df1

Target ID:	0
Start time:	19:31:26
Start date:	22/05/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll"
Imagebase:	0x730000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	19:31:29
Start date:	22/05/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll,??4_Init_locks@std@@QAEAAV01@ABV01@@Z
Imagebase:	0xd60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	19:31:32
Start date:	22/05/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll,DllCanUnloadNow
Imagebase:	0xd60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	97.4%
Signature Coverage:	5.1%
Total number of Nodes:	39
Total number of Limit Nodes:	1

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	97.4%
Signature Coverage:	0%
Total number of Nodes:	38
Total number of Limit Nodes:	1

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files (x86)\AutoIt3\Uninstall.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller\pidgenx.dll

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

C:\Program Files (x86)\Google\Update\1.3.36.312\goopdate.dll

C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll

C:\Program Files (x86)\Java\jre-1.8\bin\deploy.dll

C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\deployJava1.dll

C:\Program Files (x86)\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll

C:\Program Files (x86)\Java\jre-1.8\bin\eula.dll

C:\Program Files (x86)\Java\jre-1.8\bin\fxplugins.dll

C:\Program Files (x86)\Java\jre-1.8\bin\glib-lite.dll

C:\Program Files (x86)\Java\jre-1.8\bin\gstreamer-lite.dll

Windows Analysis Report
SecuriteInfo.com.Win32.Beetle.4.30890.19403.dll

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre