Windows Analysis Report cd.exe

Overview

General Information

Sample Name: cd.exe
Analysis ID: 483177
MD5: cd02e745a08dd29cb6fda1761b2f4b6e
SHA1: 1a0dd3348bb0f856fff51f7e22364b0974fa1ad3
SHA256: a4ff2e7dd35e8f7362739c3a578563458548ed5ffb30abe5ec6bf6f2c0de8eb7
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Detected unpacking (changes PE section rights)
Writes or reads registry keys via WMI
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Found PSEXEC tool (often used for remote process execution)
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Yara detected PsExec sysinternal tool
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
PE file contains more sections than normal
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: cd.exe ReversingLabs: Detection: 60%
Machine Learning detection for sample
Source: cd.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.cd.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 1.3.cd.exe.82998c.0.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\cd.exe Unpacked PE file: 1.2.cd.exe.400000.0.unpack
Uses 32bit PE files
Source: cd.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 168.119.139.96:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 168.119.139.96:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.102.106:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: Binary string: D:\a\1\s\Win32\Release\logonsessions.pdb source: cd.exe
Source: Binary string: c:\stream\develop\Regionhunt.pdb source: cd.exe
Source: Binary string: D:\a\1\s\Win32\Release\RamMap.pdb source: cd.exe
Source: Binary string: D:\B\T\BuildResults\bin\Release\AcrobatInfo.pdb))) source: cd.exe
Source: Binary string: D:\B\T\BuildResults\bin\Release\AcrobatInfo.pdb source: cd.exe
Source: Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb666 source: cd.exe
Source: Binary string: C:\agent\_work\93\s\Win32\Release\autoruns.pdb source: cd.exe
Source: Binary string: D:\a\1\s\Win32\Release\adrestore.pdb source: cd.exe
Source: Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb source: cd.exe

Spreading:

barindex
Found PSEXEC tool (often used for remote process execution)
Source: cd.exe String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49737 -> 173.239.8.164:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49737 -> 173.239.8.164:80
Source: Traffic Snort IDS: 2030821 ET MALWARE Win32/Zonebac Traffic Redirect 192.168.2.6:49737 -> 173.239.8.164:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WEBAIR-INTERNETUS WEBAIR-INTERNETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Yara detected PsExec sysinternal tool
Source: Yara match File source: cd.exe, type: SAMPLE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 173.192.101.24 173.192.101.24
Source: Joe Sandbox View IP Address: 173.192.101.24 173.192.101.24
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: msapplication.xml0.7.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.7.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.7.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.7.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.7.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.7.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: LM1X3BMT.htm.9.dr String found in binary or memory: re currently viewing and your location (ad serving is based on general location). Personalised content and ads can be based on those things and your activity, like Google searches and videos that you watch on YouTube. Personalised content and ads include things like more relevant results and recommendations, a customised YouTube homepage, and ads that are tailored to your interests.</div><div class="yS1nld">Click 'Customise' to review options, including controls to reject the use of cookies for personalisation and information about browser-level controls to reject some or all cookies for other uses. You can also visit <span>g.co/privacytools</span> at any time.</div></div></div></div><div class="VDity"><button class="tHlp8d" id="VnjCcb" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQiJAHCBo"><div class="jyfHyd" role="none">Customise</div></button><button class="tHlp8d" id="L2AGLb" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQiZAHCBs"><div class="jyfHyd" role="none">I agree</div></button></div><div class="XWlrff"><style>.XWlrff{margin:20px;display:flex;flex-direction:row;justify-content:center;position:absolute;bottom:0;right:0;left:0}.peRL2e,.o9D5Zb{color:#70757a;text-decoration:none}.o9D5Zb{margin:0 10px}.XWlrff{margin:18px auto 20px;position:relative}@media (max-width:320px){.peRL2e{font-size:11px}}@media (max-height:480px){.XWlrff{margin-bottom:10px}}</style><a class="peRL2e" href="https://policies.google.com/privacy?hl=en-GB&amp;fg=1&amp;utm_source=ucbs" id="RP3V5c" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQj5AHCBw">Privacy</a><div class="o9D5Zb" aria-hidden="true">&middot;</div><a class="peRL2e" href="https://policies.google.com/terms?hl=en-GB&amp;fg=1&amp;utm_source=ucbs" id="HQ1lb" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQkJAHCB0">Terms</a></div></div></div></span></div></div><script nonce="sBDQvviEJYE6GoG6F/T2Gw==">(function(){var consentCookiePayload='YES+shp.gws-20210909-0-RC2.en+FX+509';var nidCookiePayload='223\x3dao_PNWYHKNRTKr72m4usLcTnJh9tuvM0SumQjLr2NpAzZjJRtiknK0gCmTBXLOnKGQSjcjc7q7fXQyHh5YsCZxvbJHtqG4tUjigGnPyvRGQzyKRILvDlG4HWUN7F5Jpi_nHXn1ESCCOSvi8kY-pjocaxP4tq4OrC3-8IjbCQNp0';var cookieDomain='.google.com';var cookieUpdateConsentUrl='https://consent.google.com/s?continue\x3dhttps://www.google.com/?gws_rd%3Dssl\x26gl\x3dGB\x26m\x3d0\x26pc\x3dshp\x26uxe\x3dnone\x26v\x3dshp.gws-20210909-0-RC2.en%2BFX%2B509\x26ca\x3de\x26x\x3d5\x26t\x3dADw3F8gQkSzvPQQLJeh4nXGqegxVPXiLSQ:1631628204516';var sIU='https://accounts.google.com/ServiceLogin?hl\x3den\x26continue\x3dhttps://www.google.com/?gws_rd%3Dssl\x26gae\x3dcb-none';var cU='https://consent.google.com/d?continue\x3dhttps://www.google.com/?gws_rd%3Dssl\x26gl\x3dGB\x26m\x3d0\x26pc\x3dshp\x26uxe\x3dnone\x26hl\x3den\x26src\x3d2';var pC='SEARCH_HOMEPAGE';var gL='GB';var isMobile=false;var srp=false; equals www.youtube.com (Youtube)
Source: LM1X3BMT.htm.9.dr String found in binary or memory: http://agoogleaday.com/%23date%3D2011-06-04
Source: cd.exe String found in binary or memory: http://citationstyles.org/
Source: cd.exe String found in binary or memory: http://creativecommons.org/licenses/by-sa/3.0/
Source: ~DFFAD0E470126C2D77.TMP.7.dr, index[1].htm.9.dr String found in binary or memory: http://google.com
Source: 1G7O03DV.htm.9.dr, ~DFFAD0E470126C2D77.TMP.7.dr String found in binary or memory: http://menehleibe.com/
Source: {F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.dr String found in binary or memory: http://menehleibe.com/Root
Source: cd.exe String found in binary or memory: http://p.yusukekamiyamane.com/
Source: LM1X3BMT.htm.9.dr String found in binary or memory: http://schema.org/WebPage
Source: cd.exe String found in binary or memory: http://support.mendeley.com/customer/portal/articles/227955
Source: 1G7O03DV.htm.9.dr String found in binary or memory: http://ww9.menehleibe.com/
Source: msapplication.xml.7.dr String found in binary or memory: http://www.amazon.com/
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr String found in binary or memory: http://www.broofa.com
Source: msapplication.xml1.7.dr, 0V71R0V5.htm.9.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.7.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.7.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.7.dr String found in binary or memory: http://www.reddit.com/
Source: cd.exe String found in binary or memory: http://www.sysinternals.com
Source: cd.exe String found in binary or memory: http://www.sysinternals.comFileVersionLegalCopyright
Source: cd.exe String found in binary or memory: http://www.sysinternals.comWindowPositionSOFTWARE
Source: cd.exe String found in binary or memory: http://www.sysinternals.comopenConnection
Source: cd.exe String found in binary or memory: http://www.sysinternals.comopenFolder
Source: msapplication.xml5.7.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.7.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.7.dr String found in binary or memory: http://www.youtube.com/
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://accounts.google.com/ServiceLogin?hl
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://adservice.google.com/adsid/google/ui
Source: LM1X3BMT.htm.9.dr, rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr String found in binary or memory: https://apis.google.com
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://artsandculture.google.com/partner/museo-reina-sofia
Source: cd.exe String found in binary or memory: https://citationstyles.org
Source: cd.exe String found in binary or memory: https://clients2.google.com/service/update2/crxupdate_urlBrowser
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://consent.google.com/d?continue
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://consent.google.com/s?continue
Source: cd.exe String found in binary or memory: https://crashpad.chromium.org/
Source: cd.exe String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: cd.exe String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: cd.exe String found in binary or memory: https://csl.mendeley.com
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://donate.google.com/checkout?campaignid%3D6420545008435200
Source: imagestore.dat.9.dr String found in binary or memory: https://gertrk.com/favicon.ico
Source: ~DFFAD0E470126C2D77.TMP.7.dr String found in binary or memory: https://gertrk.com/nlp/index.php?url_bnm_redirect=http://google.com
Source: {F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.dr String found in binary or memory: https://gertrk.com/nlp/index.php?url_bnm_redirect=http://google.comRoot
Source: cd.exe String found in binary or memory: https://github.com/Juris-M/citeproc-js
Source: cd.exe String found in binary or memory: https://github.com/citation-style-language/styles
Source: cd.exe String found in binary or memory: https://ims-na1-stg1.adobelogin.com
Source: cd.exe String found in binary or memory: https://ims-prod06.adobelogin.com
Source: cd.exe String found in binary or memory: https://lcs-cops-dev.adobe.io
Source: cd.exe String found in binary or memory: https://lcs-cops-dev.adobe.iohttps://lcs-cops-stage.adobe.iohttps://lcs-cops.adobe.iohttps://lcs-rob
Source: cd.exe String found in binary or memory: https://lcs-cops-stage.adobe.io
Source: cd.exe String found in binary or memory: https://lcs-cops.adobe.io
Source: cd.exe String found in binary or memory: https://lcs-robs-dev.adobe.io
Source: cd.exe String found in binary or memory: https://lcs-robs-stage.adobe.io
Source: cd.exe String found in binary or memory: https://lcs-robs.adobe.io
Source: cd.exe String found in binary or memory: https://lcs-ulecs-dev.adobe.io
Source: cd.exe String found in binary or memory: https://lcs-ulecs-stage.adobe.io
Source: cd.exe String found in binary or memory: https://lcs-ulecs.adobe.io
Source: cd.exe String found in binary or memory: https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-I
Source: d4a6d4bd[1].htm.9.dr String found in binary or memory: https://mybetterdl.com/aS/feedclick?s=PmRMc57CnhYhj70e-I9ky5kfJerKhwxlfSMU3tyux_x5AGZrWUPSJmPzN2c9f2
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://ogs.google.com/widget/app/so?bc=1
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://ogs.google.com/widget/callout?prid=19025503
Source: cd.exe String found in binary or memory: https://plasma.kde.org
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://policies.google.com/privacy?hl=en-GB&amp;fg=1&amp;utm_source=ucbs
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://policies.google.com/terms?hl=en-GB&amp;fg=1&amp;utm_source=ucbs
Source: cd.exe String found in binary or memory: https://rrchnm.org/
Source: cd.exe String found in binary or memory: https://service.elsevier.com/app/answers/detail/a_id/19601/kw/connectivity/supporthub/mendeley/1setU
Source: cd.exe String found in binary or memory: https://service.elsevier.com/app/answers/detail/a_id/19611/kw/duplicates/supporthub/mendeley/Yes
Source: cd.exe String found in binary or memory: https://service.elsevier.com/app/answers/detail/a_id/22094/kw/migrate/supporthub/mendeley/
Source: cd.exe String found in binary or memory: https://service.elsevier.com/app/contact/supporthub/mendeley?dgcid=Mendeley_Desktop_Help-menu-Contac
Source: cd.exe String found in binary or memory: https://service.elsevier.com/app/home/supporthub/mendeley/?dgcid=Mendeley_Desktop_Help-menu-FAQ
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://trends.google.com/hottrends
Source: cd.exe String found in binary or memory: https://www.elsevier.com/legal/elsevier-website-terms-and-conditions
Source: cd.exe String found in binary or memory: https://www.elsevier.com/legal/privacy-policy
Source: cd.exe String found in binary or memory: https://www.gmu.edu/
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://www.google.co.uk/intl/en/about/products
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://www.google.com
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://www.google.com/?gws_rd%3Dssl
Source: ~DFFAD0E470126C2D77.TMP.7.dr String found in binary or memory: https://www.google.com/?gws_rd=ssl
Source: ~DFFAD0E470126C2D77.TMP.7.dr String found in binary or memory: https://www.google.com/?gws_rd=ssl_bnm_redirect=http://google.com
Source: {F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.dr String found in binary or memory: https://www.google.com/?gws_rd=ssl_bnm_redirect=http://google.com/?gws_rd=ssl
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://www.google.com/_/og/promos/
Source: {F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.dr String found in binary or memory: https://www.google.com/index.php?url_bnm_redirect=http://google.com/?gws_rd=ssl_bnm_redirect=http://
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://www.google.com/search?gws_rd%3Dssl%26q%3Dnebulae%26um%3D1%26ie%3DUTF-8%26tbm%3Disch%26csf%3D
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://www.google.com/url?q=https://www.google.com/chrome/download-chrome-for-search/%3Fbrand%3DOKW
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/search_black_24dp.png
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.auSrFW-FX90.O/rt=j/m=qabr
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.auSrFW-FX90.O/rt=j/m=qdsh/d=1/ed=1/rs=AA2YrTtiIgpyWC3
Source: LM1X3BMT.htm.9.dr String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.wtXa61WU3WQ.L.X.O/m=qcwid/excm=qaaw
Source: cd.exe String found in binary or memory: https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding
Source: cd.exe String found in binary or memory: https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite
Source: cd.exe String found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guides
Source: cd.exe String found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guideshttps://www.mendeley.com
Source: cd.exe String found in binary or memory: https://www.mendeley.com/library
Source: cd.exe String found in binary or memory: https://www.mendeley.com?dgcid=Mendeley_Desktop_Help-menu-website
Source: cd.exe String found in binary or memory: https://www.sysinternals.comntdllRtlInitUnicodeStringNtOpenDirectoryObjectNtQuerySectionNtQueryDirec
Source: cd.exe String found in binary or memory: https://www.virustotal.com/about/terms-of-service%s
Source: cd.exe String found in binary or memory: https://www.virustotal.comPOST4e3202fdbe953d628f650229af5b3eb49cd46b2d3bfe5546ae3c5fa48b554e0capikey
Source: cd.exe String found in binary or memory: https://www.zotero.org/
Source: unknown HTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateHost: menehleibe.comContent-Length: 12Connection: Keep-AliveCache-Control: no-cacheData Raw: 69 63 3d 30 26 66 62 3d 74 72 75 65 Data Ascii: ic=0&fb=true
Source: unknown DNS traffic detected: queries for: menehleibe.com
Source: global traffic HTTP traffic detected: GET /aS/feedclick?s=PmRMc57CnhYhj70e-I9ky5kfJerKhwxlfSMU3tyux_x5AGZrWUPSJmPzN2c9f2E7_vAN-6p8GpmDZG8TCuTZ6pDoEwlyap2kZsgzB4lH00ug8e5ExIzs-GByJkw_hnoLHWVUL2gXgUyatsBFMaSTc1RQ5RxkQPBqyyTn3ctXNy_0uSHRSxkmOy8VHMc85GIOT4jmse8Hco-FpMlb9RHx56VxjN2QtFN197vLrfkZ9qE509t5aRYfk0fTaZIGwGtVFx6Cjc1It8vKVodI2QoCnLeLuzBqxrSYHinyRIiR6SzTXaBf9PH6fc538M5WEvMvhjauUHGubj961r75KUjKtSXnHatHqEuiyuTMyWjRyjCKMGCurZS8_bcUa4tJgkiTyXdC5k_Q4CBuzEhgKlo_tO4ZCxjCqbxJk5Qzkw_MwwsEKwa-Bh_puw260HEYWHbHAxhhGdlJM-I_t1xxhVv3SQmb2uwb95RlGM7AqpOHVVF6EgPkt4a55MyZVnXuVkgrUl1akVOciihIlqaZoSoe2Ylzr70WFqgr6AhoabQSBzCjuJYNp4gwUYV0VWvRZajmUWO_Vxo8ML-hjUsrPH807AqUmDxuY4v8inEoo-y-qnyU06p2Uh3Pw9YdNYD58IK4CKCGcA-Uam9dcss-T-5Iub4J15H67wFZ2snzzWpWzEKC9XUORoe_dbnEgAhHx_n7Z4tVOYdW5lW6ruDPqaeHc0uzcTU9bgm_in-W2l5vorxPFmQaTFIcy4B5guOnMJ5yZHLQD576xYWbP03aM83dTwE3kMpnzCC1V5B-3hXd5pzfx17GSZUu2KHXImolykrmTazGZKmMBhE5rzai4ARXglTM7lPAlIssdjgnlOgBObVnL6dMrNPV4wycVX3s5OxtJMXedCWE2r5biNOcX3y5Pmw-0BUdBZv7MvlSTP2Fk9AaabOem2Q73GpjsG_dwXVnUc2FH6zZuqWu2Dli66C-XucADfX2tBPlR3prQOfp40mttv00_iCR6q6fLI9QZgGY11WgfO3qdEgV2xwoj0eGTIxBicwTEMicE9X3AYQsCpAEn3pdnGSoQpHTA7Kz9fo94mKnTULy2teQgTesP9hhxLreOeHrbCzwHSSbH-FJZx15JZAYCxI8gV6bvS4IWlDg_vysGgTqrjiFCjhA5kocz54NYxtQVvyXSZspRWMKjI1QYN8ennj2JVFvWfYyzeLbGr1ovqBCtNBvJi2ztcTgBlsW0SM8XIsRgd4QMcWZcycyUPzb9Wd1bDxFTAWmSXH43ynD5UObBi5FyNDw8qKKmoCnfedHiztWYQxKotKUGaKd1m_k2iMIc5SBU1Vi7-MGW4_Mi4WYIzJL61eBLaioPhng2BQ6PDt8aAWdDMho29RkRFHVPIQb3W3nWMGo8srLOHYnfrFRuEDgcm6cqkr2IQD0T7sB-GexA77NdWEi2cdlkkLEB146pQ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: mybetterdl.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /adServe/domainClick?ai=qR193HoKV_skvRDJ1Xl7Z2EMSqLSlBmindZv5NojCHOwn03uCMUnWWP1f_rG7YbjKg1peh-_obzBIj3uZHPpnj9EVoFzCvr6nUsZVZhWVPP-29LJmEHdmZ7b6Qy9a1mHTiLNxNNj-331YCaynPT02WREUdU8hBvdAVtzW-BnG_JiVnQIGgxQDiU7ugF2M-yuSZspRWMKjI0oZaL4_NY6BA8B78vhYDGtjMUdyxHqWTbxnarhY6PRQCoyupr1mhPBjhdEqJB6Nj2XmDvYXWw9hp-qFZn5gpnPqtE9sbJicJwX2fEbVjxB9kp2QAzznS8_6fjhgUFt3sQISiZ3D8mF7LCm2HeI0S938_gGwpSXr3tSAMcY_H2x07HFovOGSDpNKiXhLmiyflhHQ2DhJtv57Pgpt-TBvcxCEwrLEAaOW_go6oM85zEqQcFJgSFbjHo8VjLddbnKrYw&ui=PmRMc57CnhbNSfHhL5kCGmvi5v6ZZrF7dLiTNq3P25qokS0sVeF3FkXI0PDyooqap4CS6zytrLbvtEDBZZLJWA-odODn3W3LTPqV0hvm1VqP--qZkGGf_8AXd3hExnhV&si=1&oref=a606ca39dc85b39bdaa2bf88832fa198&optunit=SZspRWMKjI3Y6yHw-JV9WQ&rb=mhdAWEBiphk&rr=1&abtg=0 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: p226681.mybetterdl.comCookie: rhid=79630578833
Source: global traffic HTTP traffic detected: GET /click.php?key=qxr7sx5xq96osnrqgm1a&subid=87057224030&bid=0.025&site=413999995&source=413999995&clickid=87057224030&browser=Internet+Explorer+11&geo=CH&campaign_name=CH&device=Desktop&os=Windows+10 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: gertrk.com
Source: global traffic HTTP traffic detected: GET /nlp/index.php?url_bnm_redirect=http://google.com HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: gertrk.comCookie: uclick=16bzxofy; uclickhash=16bzxofy-16bzxofy-h9-0-ci-wh-4p-268f1c
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gertrk.comConnection: Keep-AliveCookie: uclick=16bzxofy; uclickhash=16bzxofy-16bzxofy-h9-0-ci-wh-4p-268f1c
Source: global traffic HTTP traffic detected: GET /?gws_rd=ssl HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.google.com
Source: global traffic HTTP traffic detected: GET /images/branding/googlelogo/2x/googlelogo_color_272x92dp.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.google.com/?gws_rd=sslAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.google.comConnection: Keep-AliveCookie: CONSENT=PENDING+509
Source: global traffic HTTP traffic detected: GET /gen_204?ei=rKtAYY2rHY25kwWZrp3YAw&vet=10ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQhJAHCBQ..s&gl=GB&pc=SEARCH_HOMEPAGE&isMobile=false HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.google.com/?gws_rd=sslAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.google.comConnection: Keep-AliveCookie: CONSENT=PENDING+509
Source: global traffic HTTP traffic detected: GET /images/searchbox/desktop_searchbox_sprites318_hr.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.google.com/?gws_rd=sslAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.google.comConnection: Keep-AliveCookie: CONSENT=PENDING+509
Source: global traffic HTTP traffic detected: GET /images/bjM3gVEtKlUeWm2NnKw3/UycpbcugJuZhqNGVGh8/kwk4esZ_2F2xjDYD_2BSa_/2F328cjxY6AQM/kA5SneVc/JKL1AVTBXoV77D1JaKVgbri/d8lSYHOR5C/_2FOPoUzuMMso_2Bp/A_2Ffbx4wppa/aSm6IWIjM6R/Y44GbYY.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: menehleibe.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: menehleibe.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.google.com
Source: unknown HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 168.119.139.96:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 168.119.139.96:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.102.106:443 -> 192.168.2.6:49751 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\cd.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\cd.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\cd.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\Desktop\cd.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\cd.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\cd.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: cd.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_0040323C 1_2_0040323C
Contains functionality to call native functions
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_00401873 GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,LdrInitializeThunk, 1_2_00401873
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_0040171A NtMapViewOfSection,RtlNtStatusToDosError, 1_2_0040171A
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_0040202A NtCreateSection,memset,RtlNtStatusToDosError,ZwClose, 1_2_0040202A
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_004022D1 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,memset, 1_2_004022D1
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_004020E9 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,LdrInitializeThunk,GetModuleHandleA,LdrInitializeThunk,memcpy, 1_2_004020E9
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_00402F98 memset,memcpy,NtSetContextThread,LdrInitializeThunk,RtlNtStatusToDosError,GetCalendarWeekNumber,GetLastError, 1_2_00402F98
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_00401646 NtGetContextThread,LdrInitializeThunk,RtlNtStatusToDosError, 1_2_00401646
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_00402550 NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,memset,LdrInitializeThunk,LdrInitializeThunk,memcpy, 1_2_00402550
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_0040345D NtQueryVirtualMemory, 1_2_0040345D
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_004018E5 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_004018E5
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_004031F0 NtGetContextThread, 1_2_004031F0
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_004012A3 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_004012A3
Sample file is different than original file name gathered from version info
Source: cd.exe Binary or memory string: zD%s\service_log.txtERROR! %s %s : %s%s\StringFileInfo\040904b0\OriginalFilename\installpath_SkipServiceVerificationChecks%s\bin\service_minimum_versions.vdf%s\service_minimum_versions.vdfVersion file missing or corrupt: %s vs cd.exe
Source: cd.exe Binary or memory string: M\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs cd.exe
PE file contains more sections than normal
Source: cd.exe Static PE information: Number of sections : 71 > 10
Source: cd.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: cd.exe ReversingLabs: Detection: 60%
Source: cd.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cd.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\cd.exe 'C:\Users\user\Desktop\cd.exe'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4568 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4568 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Users\user\Desktop\cd.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F14FAF2F-15AF-11EC-90E5-ECF4BB2D2496}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF1C6E09CA4CF5EBDD.TMP Jump to behavior
Source: cd.exe Binary string: Sysinternals RocksRtlNtStatusToDosErrorntdll.dllRtlInitUnicodeStringNtOpenFileNtFsControlFile\Device\Srv2\Device\LanmanServer\Device\LanmanRedirector\%s\ipc$Use PsKill to terminate the remotely running program.
Source: cd.exe Binary string: HNtOpenKeyExNtCreateKey: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\registry_dispatcher.ccConsider modifying policy using this policy rule: REG_ALLOW_ANYNtOpenKey: STATUS_ACCESS_DENIED\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dll
Source: cd.exe Binary string: A@\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dll
Source: cd.exe Binary string: A4057363broker_pdfshell_sh/if/id %uAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exe\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Software\Adobe\Acrobat Reader\DC\FeatureStateSoftware\Adobe\Adobe Acrobat\DC\FeatureState
Source: cd.exe Binary string: zl`l@`l@aFatlTraceGeneral\??\\Device\\\?\UNC\\??\UNC\/?/UNC/atlTraceCOM\?\UNC\\??\pipe\\??\mailslot\atlTraceQI\\?\\\.\\\atlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib:Invalid DateTimeInvalid DateTimeSpanMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exception (cont.) (cont.)Math overflow exceptionrSOFTWARE\Adobe\AcroPerfMath overflow exceptionbLaunchTimingMath overflow exceptionbExtendedProfilingMath overflow exceptionbDetailedHandlerProfilingMath overflow exceptiontOutputDirMath overflow exceptionMath overflow exceptionlabeled blockMath overflow exceptionMath overflow exceptionbFilemonMarkersrP[h`+Md[h
Source: cd.exe Binary string: FNtCreateSection: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\signed_dispatcher.ccreal_path: NtOpenSection: STATUS_ACCESS_DENIED\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dll
Source: cd.exe Binary string: M\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\SystemTopicsSysItemsSystemFormatsCF_TEXTStatusReadyHelpYou are connected to Adobe Acrobat.ReturnMessage
Source: cd.exe Binary string: L\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Ntdll.dllNtQueryInformationProcessSTATIC_acroS_winAcroPDF.dllAcroPDFImpl.dllNPPdf32.dllPDFPrevHndlr.dllPDFPrevHndlrShim.dllPDFThumbHndlr.dllPDFShell.dllPDFPropHndlr.dllAcroSBL/b/id/id4057363/if%s_%lu_%lu/acGeckoPluginWindowplugin-container.exe4021007AcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeSTATICswBrowser|acr|\FNP_Act_Installer.dll|acr|\SynchronizerApp.exe|acr|\Javascripts\JSByteCodeWin.bin|acr|\AdobeUpdater.dll|sys|\ddraw.dll|sys|\dciman32.dllAdobeAcrobatSpeedLaunchCmdWndSOFTWARE\Adobe\Adobe Acrobat\DC\AcroSpeedLaunchAcrobatSDIWindowAdobeAcrobatAcrobatTimerWndAcrobat runningMcShieldAvSynMgrnavapsvcAntiVirServiceAVPekrnIsVirusCheckerPresentServicesActivefound servicerunningIsVirusCheckerPresent doneAbortWM_CLOSEerr in TimeoutOrExitWaitUntilTimeoutOrMustExitOrVirusCheckerPresenterr in checkerSetThreadPriority worker thread lownot all ops, go into vc modewaitingmsvcr100.dllmsvcp100.dlldo Opsworker throw!worker doneTerminate thread!
Source: cd.exe Binary string: A\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ F] F]P
Source: cd.exe Binary string: \\\?\.dll.apibad allocationSOFTWARE\Adobe\Adobe Acrobat\DC\InstallPathSOFTWARE\Adobe\Acrobat Reader\DC\InstallPath|ci||cpg||cc||cpt||cpe||cf||csu||cr||cst||cbb||csm||cdd||cdr||cn||cnh||cfo||ct||ccsm||ccp||ccs||ccd||cad||cph||cas||cca||ccf||cic||cco||ch||cmm||cla||ccad||cpf||cmp||cpfc||ccdc||crs||crl||ccam||cat||tmp||win||sys||root||ladl||acr||acrp||rdr||rdrp|An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.atlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinAcroUnloadStubMsgAcroReloadStubMsgAcrobatUnloadMsgAcrobatReloadMsgAcroStubUnloadWClassAcroStubUnloadWClassAcroStubUnloadWClassatlTraceNotImplatlTraceAllocationSOFTWARE\Adobe\Adobe Acrobat\DC\LanguageUISOFTWARE\Adobe\Adobe Acrobat\DC\LanguageUIAcroUnloadStubMsgAcroReloadStubMsgatlTraceExceptionAcroRd32.dllAcrobat.dllAcRd32_D.dllAcroDbg.dllSOFTWARE\Adobe\Adobe Acrobat\DC\appvatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibAcrobat.dllAcrobat32OL.dllSoftware\Adobe\Adobe Acrobat\DC\SecurityDEPSoftware\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDownbEnableATL7Compatkernel32.dllGetProcessDEPPolicykernel32.dllSetProcessDEPPolicyntdll.dllNtSetInformationProcess\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\AppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt /if/if pdfshell_prev/CRlaunchCEFInLowIntegrityAdobeAcrobatSpeedLaunchCmdWndAdobeReaderSpeedLaunchCmdWndAcrobat Viewer Safe DDEacrobat_sbxEDIT/if/CR/ac/actuser32.dllSetProcessDPIAwareacrobatres.dllAXE8SharedExpat.dll/dllLoad AppInitEventbProtectedModeSOFTWARE\Policies\Adobe\Adobe Acrobat\DCbIPMTurnedPMONbLastExitNormaliForceExitReasonSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\ExitSectionSoftware\Adobe\Adobe Acrobat\DC\ExitSectioniPMSilentOffiNumSessionsSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegediSessionThresholdiPMSilentOffSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegedbProtectedMode\x86\Acrobat\Acrobat.exe/dllLoadbLTEnableDLLOptimizationAdobe AcrobatSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdownDC_AcroAppTimerAcroExe load doneacrord32_super_sbx/if/ifpdfshell_prev/slModebAllowWindowCreationOnBrowserSoftware\Adobe\Adobe Acrobat\DC\PrivilegedUseSandboxModalWndReparenting/slModeopenSoftware\Adobe\Adobe Acrobat\DC\AVGeneraliSLExitTimeHighPartiSLExitTimeLowPartFatal ErrorAcrobat failed to load its Core DLLhttps://helpx.adobe.com/acrobat/kb/acrobat-failed-load-core-dll.htmlAcroWinMainSandbox\??\AcroviewA21CALS_PreflightDdeService\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device
Source: cd.exe Binary string: fH', pattern = ', semantics = , subsystem = error = Failed to add sandbox rule.D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\sandbox_policy_base.ccinterceptions setup failed - error:process initialization failed - error:g_shared_delayed_integrity_levelg_shared_delayed_mitigationsCreateAppContainerToken\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ F]
Source: cd.exe Binary string: #O\\.\\\?\CreateNamedPipe: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\named_pipe_dispatcher.ccname: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\invalid stoull argumentstoull argument out of range
Source: cd.exe Binary string: Zh#M\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\dZh0
Source: cd.exe Binary string: DEST\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Embed SourceEmbedded ObjectatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\AcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibCONTENTSPDFCONTENTSCONTENTS\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\atlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibGetOpenFileNameW`
Source: cd.exe Binary string: M\Device\Mup\Device\\SystemRoot\\Device\LanmanRedirector\
Source: cd.exe Binary string: NBrokerEvent0x%XFailed to construct job object for sandbox process - error:D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\broker_services.ccFailed to construct restricted tokens for sandbox process - error:4277065__security_cookieg_sandbox_winsta_handleg_sandbox_desktop_handleg_sandbox_main_thread_idg_broker_already_in_job_that_prohibits_breakawayg_is_compute_only_sandboxg_under_appv_virtualizationg_in_pm_appcontainerg_in_pv_appcontainer%sg_appcontainer_named_object_directory_handleg_appcontainer_object_dirg_broker_process_idFailed to add target - error:AcroBrokerSessionEndMsgListenerClassAcroBrokerSessionEndMsgListener\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe Binary string: \\\?\.dll.apibad allocationSOFTWARE\Adobe\Adobe Acrobat\DC\InstallPathSOFTWARE\Adobe\Acrobat Reader\DC\InstallPath|ci||cpg||cc||cpt||cpe||cf||csu||cr||cst||cbb||csm||cdd||cdr||cn||cnh||cfo||ct||ccsm||ccp||ccs||ccd||cad||cph||cas||cca||ccf||cic||cco||ch||cmm||cla||ccad||cpf||cmp||cpfc||ccdc||crs||crl||ccam||cat||tmp||win||sys||root||ladl||acr||acrp||rdr||rdrp|An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.atlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinAcroUnloadStubMsgAcroReloadStubMsgAcrobatUnloadMsgAcrobatReloadMsgAcroStubUnloadWClassAcroStubUnloadWClassAcroStubUnloadWClassatlTraceNotImplatlTraceAllocationSOFTWARE\Adobe\Adobe Acrobat\DC\LanguageUISOFTWARE\Adobe\Adobe Acrobat\DC\LanguageUIAcroUnloadStubMsgAcroReloadStubMsgatlTraceExceptionAcroRd32.dllAcrobat.dllAcRd32_D.dllAcroDbg.dllSOFTWARE\Adobe\Adobe Acrobat\DC\appvatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibAcrobat.dllAcrobat32OL.dllAcroRd32.dllSoftware\Adobe\Adobe Acrobat\DC\SecurityDEPSoftware\Policies\Adobe\Acrobat Reader\DC\FeatureLockDownbEnableATL7Compatkernel32.dllGetProcessDEPPolicykernel32.dllSetProcessDEPPolicyntdll.dllNtSetInformationProcessAppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt /if/if pdfshell_prev/CRlaunchCEFInLowIntegrityAdobeAcrobatSpeedLaunchCmdWndAdobeReaderSpeedLaunchCmdWndAcrobat Viewer Safe DDEacrord32_sbxEDIT/if/CR/ac/actuser32.dllSetProcessDPIAware/pass bWasUserPassThroughedSoftware\Adobe\Acrobat Reader\DC\AVGeneralacrord32res.dllAXE8SharedExpat.dll/dllLoad AppInitEvent/dllLoadbLTEnableDLLOptimizationAcroExe load doneSOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockdownDCAcrobat Reader_AcroAppTimeracrord32_super_sbx/if/ifpdfshell_prev/slModebAllowWindowCreationOnBrowserUseSandboxModalWndReparentingSoftware\Adobe\Acrobat Reader\DC\Privileged/slModeSoftware\Adobe\Acrobat Reader\DC\AVGeneraliSLExitTimeHighPartiSLExitTimeLowPartFatal ErrorAcrobat failed to load its Core DLLhttps://helpx.adobe.com/acrobat/kb/acrobat-failed-load-core-dll.htmlopen\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\AcroWinMainSandboxAcroviewR21\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\unordered_map/set too longinvalid hash bucket count
Source: cd.exe Binary string: ONtCreateFile: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\filesystem_dispatcher.ccreal path: NtOpenFile: STATUS_ACCESS_DENIEDNtQueryAttributesFile: STATUS_ACCESS_DENIEDNtQueryFullAttributesFile: STATUS_ACCESS_DENIEDNtSetInformationFile: STATUS_ACCESS_DENIED\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\kernel32.dll
Source: cd.exe Binary string: 4`@dI0nI 7H\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\CONTENTSCONTENTSAcrobat DocumentPDFCONTENTSLink Source DescriptorLink Source DescriptorObject DescriptorObject DescriptorEmbed SourceEmbed SourceLink SourceLink SourceEmbedded ObjectEmbedded ObjectCustom Link SourceCustom Link SourceObjectLinkObjectLinkCF_BITMAPCF_ENHMETAFILECF_METAFILEPICTCF_DIBNotesDocInfoNotesDocInfoNoteshNoteNoteshNoteLink Source DescriptorObject DescriptorEmbedded ObjectEmbed SourceCustom Link SourceLink SourceObjectLinkNotesDocInfoNoteshNoteAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib
Source: cd.exe Binary string: zl`l@`l@aFPDFMOutlook.PDFMOutlookSubjectEntryID\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe Binary string: \"}{\LogTransport2.exeLogTransport2.exeNOVALUE\verclsid.exeverclsid.exe/S/C/I/XIMEPADSV.EXEEmbeddingimjpuex.exeimjpdct.exeifSharedPathModulePathSOFTWARE\Microsoft\IMEJPSOFTWARE\Microsoft\IMEJP\%s\directories\ime\shared\acrotray.exe/Q\acrodist.exe--UseSystemFonts--EditSecurity-C:7--HWND:-J/E/N/P/J/O.pdf.psupdatepvbpreferencepersistmachineiddontsendcreatedumpsendlogsolutionurlopenadobetermsandconditionsopensolutionurldummy\CRWindowsClientService.exeSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Photoshop.exeSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Illustrator.execImageEditorcObjectEditorSOFTWARE\Classes\Applications\mspaint.exe\shell\edit\commandbEnableEditUsingacrobat_sbxSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\notepad++.execJSEditorSOFTWARE\Classes\Applications\notepad.exe\shell\edit\commandD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\process_thread_dispatcher.ccexe name: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dll
Source: cd.exe Binary string: AcroCEF\AcroCEF.exeAcroCEF.exeHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXT\Device\HarddiskVolumepipe\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\4202392~NtQueryObjectRtlNtStatusToDosErrorRtlCompareUnicodeString\Device\WinDFSA:CdmRedirectorVolume\Device\HarddiskVolumeDirectoryFileEventSectionKey<>:"\|?*Software\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDownbEnableSameObjectCheckbSupportRDSUPDSYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettingsUvhdEnabledbFilePathPreprocessingShortcutEnabled
Source: cd.exe Binary string: {l`l@`l@aF\??\\Device\x
Source: cd.exe Binary string: |l`l@`l@aFatlTraceGeneralatlTraceCOMatlTraceQI\??\atlTraceRegistrar\Device\\\?\UNC\atlTraceRefcount\??\UNC\/?/UNC/\?\UNC\atlTraceWindowing\??\pipe\\??\mailslot\\\?\atlTraceControls\\.\\\atlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPI%d.%u.%d/cr/bbEnforceReadRestrictionsSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdownbEnableAlternateLaunchDesktopSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdownbEnableAlternateTempDirectorySoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegedbEnableHeapMitigationsbEnableProcessIntegrityMitigationsbEnableEnhancedPolicyRestrictionsbEnableGlobalAtomRestrictionsbPreventCreatingExecutablesbEnableBinaryPlantingProtectionbDisableMultiplePrefetchiPMAppContainerStateSoftware\Adobe\Adobe Acrobat\DC\AVGeneraliSandboxExitCodeSoftware\Adobe\Adobe Acrobat\DC\AVGeneral\cSandboxLaunchFailureiOptionSelectediLastErrorValueiIsBrowserLaunchiIsCaptiveReaderLaunchiSandboxResultCodeiIsProtectedViewbIPMEnabledAppContainerpdfshell_prevbEnableStrictHandleCheckProtectionbEnableNonsystemFontRestrictionsbPVAppContainerFallback0x%XbEnableRemoteDllLoadRestrictionsbPMAppContainerFallbackiNumSessionsbEnableLowLabelDllLoadRestrictionsSoftware\Adobe\Adobe Acrobat\DC\AVGeneraliNumSessionsSoftware\Adobe\Adobe Acrobat\DC\AVGeneral\cSandboxLaunchFailure/if.Software\Adobe\Adobe Acrobat\DC\PrivilegedbEnableProtectedModeAppContainer/CRCoInitializeSecurity() failed, result=0xSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown/if/mspiPMAppContainerLaunchFailureFallbackSandbox Process Initialization Failed - error:/CRDebugbEnableProtectedViewAppContainer/ICSbEnableProtectedModeAppContainerbIPMTurnedPMONbPMSandboxFallbackbProtectedModeFailed to create a security descriptor4057363MbAllowFallbackForAdminEnforcedSandbox/b/l/ifDbEnableAppContainerForDebuggingbEnableProtectedModeAppContainer/idBSoftware\Adobe\Adobe Acrobat\DC\PrivilegedbProtectedModeHandshake with Sandbox Process FailedD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cppbProtectedMode/CRNoRemoveD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cppbProtectedMode/CRInvalid DateTimeSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegediPVAppContainerLaunchFailureFallbackReleaseInvalid DateTimeSpanbEnableProtectedViewAppContainer/CR:bEnableProtectedViewWin32kLockdownD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cppMakeScopedAbsoluteSd() failedAcrobatAppIDD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cpp/bAcroCEF\AcroCEF.exeCLSIDD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cppUnknown process type/r/VAcroCEF\RdrCEF.exeRdrCEF.exeAcroCEF.exe
Source: cd.exe Binary string: O\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dllkernel32.dll
Source: cd.exe Binary string: cadialhk.dllacpiz.dllactivedetect32.dllactivedetect64.dllairfoilinject3.dllakinsofthook32.dllassistant_x64.dllatcuf64.dllavcuf64.dllavgrsstx.dllbabylonchromepi.dllbtkeyind.dllcmcsyshk.dllcmsetac.dllcooliris.dllcplushook.dlldockshellhook.dlleasyhook32.dlleasyhook64.dllesspd.dllgoogledesktopnetwork3.dllfwhook.dllguard64.dllhookprocesscreation.dllhookterminateapis.dllhookprintapis.dllimon.dllicatcdll.dllicdcnl.dllioloHL.dllkloehk.dlllawenforcer.dlllibdivx.dlllvprcinj01.dllmadchook.dllmdnsnsp.dllmoonsysh.dllmpk.dlln64hooks.dllnpdivx32.dllnpggNT.desnpggNT.dllnphooks.dlloawatch.dllpastali32.dllpavhook.dllpavlsphook.dllpavshook.dllpavshookwow.dllpctavhook.dllpctgmhk.dllpicrmi32.dllpicrmi64.dllprntrack.dllprochook.dllprotector.dllradhslib.dllradprlib.dllrapportnikko.dllrlhook.dllrooksdol.dllrndlpepperbrowserrecordhelper.dllrpchromebrowserrecordhelper.dllr3hook.dllsahook.dllsbrige.dllsc2hook.dllsdhook32.dllsguard.dllsmum32.dllsmumhook.dllssldivx.dllsyncor11.dllsystools.dlltfwah.dllwblind.dllwbhelp.dllwindowsapihookdll32.dllwindowsapihookdll64.dllwinstylerthemehelper.dllD:\B\T\Imports\Open\Chrome\Chrome\src\services\service_manager\sandbox\win\sandbox_win.ccCreateAppContainerProfileSandbox container for Acrobat Reader Protected ModeAdobe Acrobat Reader DC Protected ModeAdobe.AcrobatReaderDC.ProtectedMode|bLTEnableConcurrencyInBrokerInit01DWSPY36.dll:1|CwComijt.dll:1|cscore.dll:1|vozokopot.dll:1|DreyeiMHook.dll:1|Dev2Dl32.dll:1|Nsccor01.dll:1|nsccor03.dll:1|DSTermPr.dll:1|jesterrun0.dll:1|DreyelMhook.dll:1|druver.dll:1|vpnlsp_x32.dll:1|msnhook.dll:1|hooker.dll:1|pcsw.dll:1|AntiExploitCore.dll:1|netchatidle.dll:1tDllLoadPermtDllLoadPerm_Computeonly4220220S-1-15-2-3805855342-111495108-2588610986-3809954156-747251120-2599371852-2534338891policy error:acrobat.dll\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\RtlInitUnicodeStringntdll.dll\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe Binary string: NUnknownDefaultNtCreateFileNtOpenFileNtQueryAttributesFileNtQueryFullAttributesFileCreateNamedPipeWNtOpenThreadNtOpenProcessNtOpenProcessTokenNtOpenProcessTokenExCreateProcessWNtCreateKeyNtOpenKeyCreateThreadNtCreateSectioncompute-only-brokercompute-only-rendereripc-co-channelipc-rdr-channeltyperenderershell-broker-channelipc-cef-channellocaleservice-sandbox-typenonenone_and_elevatednetworkppapiutilitycdmprint_compositoraudiosharing_servicespeech_recognitionvideo_capturepdf_conversionproxy_resolverxr_compositingallow-no-sandbox-joballow-sandbox-debuggingdisable-gpu-sandboxdisable-namespace-sandboxdisable-seccomp-filter-sandboxdisable-setuid-sandboxdisable-win32k-lockdownenable-audio-service-sandboxgpu-sandbox-allow-sysv-shmgpu-sandbox-failures-fatalno-sandboxallow-third-party-modulesadd-gpu-appcontainer-capsno-sandbox-and-elevatedadd-xr-appcontainer-capsgpu-processnacl-brokernacl-loaderppapi-brokerppapiutilityservicezygotentdll.dll\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\@
Source: cd.exe Binary string: A\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ControlH1`@dI0nIPdI\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\SystemTopicsSysItemsSystemFormatsCF_TEXTStatusReadyHelpYou are connected to Adobe Acrobat.ReturnMessage 2`@dI0nI 7Hp2`
Source: cd.exe Binary string: GCreateEvent: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\sync_dispatcher.ccOpenEvent: STATUS_ACCESS_DENIEDConsider modifying policy using these policy rules: EVENTS_ALLOW_ANY\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe Binary string: H\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\IsWow64Process2SetDefaultDllDirectoriesSetProcessMitigationPolicy\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\NtSetInformationProcesssecurity descriptor - error:D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\target_process.ccCreateProcessAsUserW failed to create sandbox process - error:job object - error:set thread token - error:g_shared_sectiong_shared_IPC_sizeg_shared_policy_size\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F]#B
Source: cd.exe Binary string: >`\Device\FileInfo%s%s%c:Superfetchinfo: %x Data: %x
Source: cd.exe Binary string: 3`@gI84`pfI\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe Binary string: cCZECSYGREELLSUOFINPOLPLKRUMROMTURTRKMNGMONESPESN\Locale\\brdlang32.Software\Adobe\Adobe Acrobat\DC\Language\current\brdlang32SYSTEM\CurrentControlSet\Control\FileSystemLongPathsEnabled\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\`
Source: cd.exe Binary string: cnullbooleanintegerdoublestringbinarydictionarylist\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe Binary string: :Zone.Identifierfeatmonitorapp.exeIPTip_Main_WindowSoftware\Classes\CLSID\{054AAE20-4BEA-4347-8A35-64A533254A9D}\LocalServer32%CommonProgramFiles%CommonProgramW6432Software\Adobe\Adobe Acrobat\DC\AVGeneralbProtectedModebHasAcrobatConsentDCSoftware\Adobe\Acrobat Reader\DC\PrivilegedContinuous.lnk\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\SeChangeNotifyPrivilegeS:(ML;;;;;)S-1-16-16384S-1-16-12288S-1-16-8192S-1-16-6144S-1-16-4096S-1-16-2048S-1-16-0NtCreateLowBoxToken\Sessions\%d\AppContainerNamedObjects\%lsNtCreateDirectoryObject\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ F] F] F] F] F] F] F] F] F] F] F] F] F] F] F]0
Source: cd.exe Binary string: IDocOpenDocPrintFilePrintFilePrintExFilePrintSilentFilePrintSilentExFilePrintToFilePrintToExFileTrustedPrintToExFileTrustedPrintSilentExFileTrustedPrintExFileOpenUntitledFileOpenFileOpenExFileOpenMinimizedFileTrustedOpenMinimizedFileTrustedOpenExFileOpenWithParamsFileTrustedOpenWithParamsDocOpenDocPrintFilePrintFilePrintExFilePrintSilentFilePrintSilentExFilePrintToFilePrintToExFileTrustedPrintToExFileTrustedPrintSilentExFileTrustedPrintExFileOpenUntitledFileOpenFileOpenExFileOpenMinimizedFileTrustedOpenMinimizedFileTrustedOpenExFileOpenWithParamsFileTrustedOpenWithParamsHandleAcroURLAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exe\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\list too longatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistrar_pptExport.emfatlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceException.tmp.pdfatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPICount
Source: cd.exe Binary string: Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Reader /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplication{A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0DC\InstallerENU_GUIDPATHInstallLocationAcroExch.Document.DC.pdfTrunk{AC76BA86-0000-0000-7760-7E8A45000000}BetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonAcrobat.Document.SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.11.pdfSOFTWARE\Google\Chrome\NativeMessagingHosts\.com.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorLowerCoExVersionSOFTWARE\Adobe\Adobe Acrobat\DC\InstallerCoExRepairDone\NotificationAppxSOFTWARE\Adobe\Acrobat Reader\\DC\SOFTWARE\Adobe\Acrobat Reader\\DC\Installer\AppVersionAppVersionINSTALLUWPAPP=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 /qn/i msiexec.exe ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeAppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstoreAdobe Reader XIRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrd
Source: cd.exe Binary string: Gbad array new lengthmap/set too longstring too longVersionMajor{AC76BA86-0000-0000-7760-7E8A45000000}InstallLocationAcrobat\Acrobat.exeiEntitlementLevelbLoginStatusTrunkBetaDC\AVEntitlementSOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorVersionMinorInstallLocationAcrobat\Acrobat.exe#32770Learn MoreOkMsgBoxHookMsgBoxHookMsgBoxHookMsgBoxHook0x%XS:(ML;;NW;;;LW)rdrCEF_alternate_desktop_alr_alternate_desktop_rdrCEF_alternate_desktop_alr_alternate_desktop_\S-1-16-4096S:(ML;CIOI;NW;;;LW)TMP=TMP=TEMP=TEMP=LOCALAPPDATA=LOCALAPPDATA===invalid string positionvector too longSOFTWARE\Adobe\Adobe Acrobat\DC\Installer\bIsSingleClientAppbIsSCAcroAppInstalledSCAPackageLevelIsAcrInstalledInRdrModeSeShutdownPrivilegekernel32.dllGetNamedPipeServerProcessIdGetNamedPipeClientProcessIdS:(ML;;NW;;;LW)D:P(D;;GA;;;NU)(D;;GA;;;AN)(A;;GA;;;)(A;;GA;;;AC)\\.\pipe\AIPC_SRV\\\.\pipe\AIPC_CLI\Global\IEACROBATSTARTIPCNAMEDPIPECOMGlobal\ARM Update MutexGlobal\Acro Update MutexC:\thsnYaVieBodaTsnIorcAeBoda\\.\pipe\32B6B37A-4A7D-4e00-95F2-6F0BF3DE3E00SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDownbEnableEventViewerLoggingSoftware\Adobe\Acrobat Reader\DC\PrivilegedbEnableEventViewerLoggingAdobe ReaderDocOpenDocPrintFilePrintFilePrintExFilePrintSilentFilePrintSilentExFilePrintToFilePrintToExFileTrustedPrintToExFileTrustedPrintSilentExFileTrustedPrintExFileOpenUntitledFileOpenFileOpenExFileOpenMinimizedFileTrustedOpenMinimizedFileTrustedOpenExFileOpenWithParamsFileTrustedOpenWithParamsDocOpenDocPrintFilePrintFilePrintExFilePrintSilentFilePrintSilentExFilePrintToFilePrintToExFileTrustedPrintToExFileTrustedPrintSilentExFileTrustedPrintExFileOpenUntitledFileOpenFileOpenExFileOpenMinimizedFileTrustedOpenMinimizedFileTrustedOpenExFileOpenWithParamsFileTrustedOpenWithParamsHandleAcroURLAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exe\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\list too long4057363broker_pdfshell_sh/if/id %uAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exe\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Software\Adobe\Acrobat Reader\DC\FeatureStateSoftware\Adobe\Adobe Acrobat\DC\FeatureStateatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClient\??\\Device\atlTraceDBProvider\\?\UNC\\??\UNC\/?/UNC/atlTraceSnapin\?\UNC\\??\pipe\\??\mailslot\atlTraceNotImpl\\?\\\.\\\atlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPIAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeSMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib%d.%u.%d/cr/bSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdownbEnforceReadRestrictionsSOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockdownbEnableAlternateLaunchDesktopSoftware\Adobe\Adobe
Source: cd.exe Binary string: Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Acrobat /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplicationSOFTWARE\Adobe\Adobe Acrobat\{A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-BA7E-7E8A45000000}VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\.0DC\InstallerENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdfTrunk{AC76BA86-0000-0000-7760-7E8A45000000}BetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonAcrobat.Document.SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.11.pdfSOFTWARE\Google\Chrome\NativeMessagingHosts\.com.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorLowerCoExVersionSOFTWARE\Adobe\Adobe Acrobat\DC\InstallerCoExRepairDone\RDCNotificationAppx\ADCNotificationAppx\NotificationAppxSOFTWARE\Adobe\Adobe Acrobat\\DC\SOFTWARE\Adobe\Adobe Acrobat\\DC\Installer\AppVersionAppVersionINSTALLUWPAPP=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 IS_COEX_REPAIR=1 /qn/i msiexec.exe/i AppDoNotTakePDFOwnershipAtLaunch ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qnmsiexec.exeAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Dev
Source: cd.exe Binary string: O 3Eg_interceptionsNtMapViewOfSectionNtUnmapViewOfSectiong_originals\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Invalid Object foundD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\filesystem_policy.ccrequested path: actual path: Unexpected handle for path: Unexpected handle\/?/?\?:?:\\/?/?\UNC\Failed to process path (recursion detected): error code:Failed to process path:Unexpected error in path processing of:Unexpected error in source path processing of:::$DATA:$I30:$INDEX_ALLOCATION::$INDEX_ALLOCATION\\.\pipe\\\.\mailslot\Invalid path: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\\?\pipe\\Device\NamedPipe\SameObject check failed: D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\named_pipe_policy.ccntdll.dllkernel32.dllNtAllocateVirtualMemoryNtCloseNtDuplicateObjectNtFreeVirtualMemoryNtProtectVirtualMemoryNtQuerySectionNtQueryVirtualMemoryNtSignalAndWaitForSingleObjectNtWaitForSingleObjectRtlAllocateHeapRtlAnsiStringToUnicodeStringRtlCreateHeapRtlCreateUserThreadRtlDestroyHeapRtlFreeHeap_strnicmpstrlenwcslenmemcpy_wcsnicmpswprintf_sNtQueryInformationThreadNtSetInformationFileNtDeleteValueKeyNtCreateMutantNtOpenMutantNtOpenSectionNtAddAtomNtFindAtomNtDeleteAtomNtQueryInformationAtomg_ntNtSetInformationThreadNtOpenThreadTokenNtOpenThreadTokenEx\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\NtSuspendProcessNtResumeProcessNtCreateProcessExntdll.dllInitializeProcThreadAttributeListUpdateProcThreadAttributeCreateProcessWAction: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\process_thread_policy.ccapp name: command line: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ for: Unexpected D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\registry_policy.ccReal path: CreateKeyOpenKey\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Handle AccessCheck failed: D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\signed_policy.cc\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\NtQuerySymbolicLinkObjectNtOpenSymbolicLinkObject%d\Sessions\BNOLINKSNtCreateEventNtOpenEvent\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe Binary string: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Ntdll.dllNtQueryInformationProcessSTATIC_acroS_winAcroPDF.dllAcroPDFImpl.dllNPPdf32.dllPDFPrevHndlr.dllPDFPrevHndlrShim.dllPDFThumbHndlr.dllPDFShell.dllPDFPropHndlr.dllAcroSBL/b/id/id4057363/if%s_%lu_%lu/acGeckoPluginWindowplugin-container.exe4021007AcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeSTATICswBrowser|rdr|\Javascripts\JSByteCodeWin.bin|rdr|\AdobeUpdater.dll|sys|\ddraw.dll|sys|\dciman32.dllAdobeReaderSpeedLaunchCmdWndSOFTWARE\Adobe\Acrobat Reader\DC\AcroSpeedLaunchAcrobatSDIWindowAdobeAcrobatAcrobatTimerWndAcrobat runningMcShieldAvSynMgrnavapsvcAntiVirServiceAVPekrnIsVirusCheckerPresentServicesActivefound servicerunningIsVirusCheckerPresent doneAbortWM_CLOSEerr in TimeoutOrExitWaitUntilTimeoutOrMustExitOrVirusCheckerPresenterr in checkerSetThreadPriority worker thread lownot all ops, go into vc modewaitingmsvcr100.dllmsvcp100.dlldo Opsworker throw!worker doneTerminate thread!
Source: classification engine Classification label: mal100.spre.troj.evad.winEXE@4/27@6/5
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: cd.exe String found in binary or memory: /cite/word/install
Source: cd.exe String found in binary or memory: Couldn't find documents: You have selected documents from both My Library a Shared Group, or from multiple Shared Groups, which is not supported.Documents in multiple groupsPlease select the documents you wish to cite.importing %1 documents from plugin into ??geometry/newLibrarySplittergeometry/horizontalSplittergeometry/verticalSplitterSynchronizing - Step %1 of %2GroupFilterCollectionDeletedFilter1trigger()Synchronizing Zotero - Step %1 of %22duplicateSearchStarted(WorkerJob::Pointer)1highlightAndScrollTo(QList<Document::Pointer>)2allJobsFinished(QList<Document::Pointer>)Invite/invite/?dgcid=Mendeley_Desktop_Invite-colleagues/cite/word/install/importshowSignInmendeley://loginshowJoinMendeleyFormmendeley://registerDelete this document from your library?Delete %1 documents from your library?
Source: cd.exe String found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guides
Source: cd.exe String found in binary or memory: 1openHelpGuides()Help Guides1openMendeleyWebsite()Mendeley Website1openFAQ()FAQ1openContactSupport()Contact SupportCheck for UpdatesCheck Now1toggleCheckForPreviewUpdates()Create Backup...1openMendeleyPrivacyPolicy()Privacy Policy1openMendeleyTandCs()Terms and Conditions1showAbout()https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guideshttps://www.mendeley.com?dgcid=Mendeley_Desktop_Help-menu-websitehttps://www.elsevier.com/legal/elsevier-website-terms-and-conditionshttps://www.elsevier.com/legal/privacy-policyhttps://service.elsevier.com/app/home/supporthub/mendeley/?dgcid=Mendeley_Desktop_Help-menu-FAQhttps://service.elsevier.com/app/contact/supporthub/mendeley?dgcid=Mendeley_Desktop_Help-menu-Contact-SupportOpt-out of Experimental ReleasesOpt-in to Experimental Releases
Source: cd.exe String found in binary or memory: recently-added
Source: cd.exe String found in binary or memory: 1timeout()1showDocumentView()all-documentsrecently-addedmy-publicationsfavoritesfavouritesunsortedselectExistingGroupByIdactiongroupIdtabNameoverviewmembersInvalid group tab namefailed to select group1syncProgressChanged(QSet<SynchronizeJob::Action>,QSet<SynchronizeJob::Action>,QSet<SynchronizeJob::Action>)2progressChanged(QSet<SynchronizeJob::Action>,QSet<SynchronizeJob::Action>,QSet<SynchronizeJob::Action>)1updateRecentlyRead()selectExistingDocumentByIdidfileToOpenselectExistingFolderByIdfolderIdcan't fetch unknown document No document found matching the id1showStyleError(StylesFetcher::DownloadFromUrlError,QString)1selectStyle(QString)Style selected - %1Cannot install - %1. Error: %2No folder found matching the remote idMainWindowController::selectFilterByName: Can't find the filter showDocumentViewsetDocumentPropertiesPaneVisibilityselectMetadataTabselectTagsAndNotesTabselectFilterBySlugselectFilterByNameselectDocumentRowselectMainTabselectDocumentByIdselectGroupByIdH
Source: cd.exe String found in binary or memory: :/images/onboarding/bubbles/add_copy.png
Source: cd.exe String found in binary or memory: Try Mendeley <a href="https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-Importer"><b>Web Plugin</b></a> to import documents in just one click
Source: cd.exe String found in binary or memory: <html><head/><body><p><a href="https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">Cite</span></a> your Mendeley references in Microsoft Word<sup>&reg;</sup> or LibreOffice<sup>&trade;</sup></p></body></html>
Source: cd.exe String found in binary or memory: <html><head/><body><p>Discover how to <a href="https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">highlight and annotate</span></a> documents in your library</p></body></html>
Source: cd.exe String found in binary or memory: :/images/onboarding/bubbles/next.pngAdd and CreateUserGuidePopoverWidgetHide the Guidance PopupAlt+CClick here to <b>import</b> documents and folders to your library or <b>create new</b> entries manually.or importImport other librariesTry Mendeley <a href="https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-Importer"><b>Web Plugin</b></a> to import documents in just one clickYour Mendeley Library is backed up to the Mendeley Cloud every time you sync so you can access it on Mendeley Web Library, Mendeley Mobile or other installations of Mendeley Desktop. You can manage synchronization of your file attachments here.Click the help button to find out more about Mendeley and learn how to cite, annotate and collaborate.Learn how to<html><head/><body><p><a href="https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">Cite</span></a> your Mendeley references in Microsoft Word<sup>&reg;</sup> or LibreOffice<sup>&trade;</sup></p></body></html><html><head/><body><p>Discover how to <a href="https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">highlight and annotate</span></a> documents in your library</p></body></html>QPushButton:pressed { border: 1px solid white; background: white; color: white; opacity: 255; }QPushButton:pressed { border: 1px solid #F6F6F6; background: #F6F6F6; color: white; opacity: 255; }UserGuidePopover1trackButtonClick()1page0AltContentBiTeXButtonClicked()1page0AltContentEndNoteButtonClicked()1page0AltContentRISButtonClicked()1display()2displaySignal():/images/onboarding/bubbles/next.png:/images/onboarding/bubbles/close-button.pngStorage: Local & CloudThe help button will always be hereUserGuidePopover_Page%1unverifiedH
Source: cd.exe String found in binary or memory: :/images/onboarding/bubbles/next.pngAdd and CreateUserGuidePopoverWidgetHide the Guidance PopupAlt+CClick here to <b>import</b> documents and folders to your library or <b>create new</b> entries manually.or importImport other librariesTry Mendeley <a href="https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-Importer"><b>Web Plugin</b></a> to import documents in just one clickYour Mendeley Library is backed up to the Mendeley Cloud every time you sync so you can access it on Mendeley Web Library, Mendeley Mobile or other installations of Mendeley Desktop. You can manage synchronization of your file attachments here.Click the help button to find out more about Mendeley and learn how to cite, annotate and collaborate.Learn how to<html><head/><body><p><a href="https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">Cite</span></a> your Mendeley references in Microsoft Word<sup>&reg;</sup> or LibreOffice<sup>&trade;</sup></p></body></html><html><head/><body><p>Discover how to <a href="https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">highlight and annotate</span></a> documents in your library</p></body></html>QPushButton:pressed { border: 1px solid white; background: white; color: white; opacity: 255; }QPushButton:pressed { border: 1px solid #F6F6F6; background: #F6F6F6; color: white; opacity: 255; }UserGuidePopover1trackButtonClick()1page0AltContentBiTeXButtonClicked()1page0AltContentEndNoteButtonClicked()1page0AltContentRISButtonClicked()1display()2displaySignal():/images/onboarding/bubbles/next.png:/images/onboarding/bubbles/close-button.pngStorage: Local & CloudThe help button will always be hereUserGuidePopover_Page%1unverifiedH
Source: cd.exe String found in binary or memory: Please upgrade to a supported version of MS Word and re-install the Mendeley plugin through Mendeley Desktop's 'Tools' menu. Sorry for the inconvenience.
Source: cd.exe String found in binary or memory: 1updateWordPlugin()1uninstallWordPlugin()Please upgrade to a supported version of MS Word and re-install the Mendeley plugin through Mendeley Desktop's 'Tools' menu. Sorry for the inconvenience.The Mendeley plugin requires Microsoft Word %1 or later.
Source: cd.exe String found in binary or memory: documents-add
Source: cd.exe String found in binary or memory: folder-add
Source: cd.exe String found in binary or memory: 333?editMenuSeparatorviewerActions.selectionMenuviewerActions.highlightMenuviewerActions.zoomModeMenudocuments-addAddnewDocumentActionImport additional documents to the current collectionaddFilesActionaddFolderActionWatch FolderwatchFolderActionAdd Entry ManuallyaddManualEntryActionemptyEmptyemptyTrashActionDelete all documents from the Trashdocument-deleteremoveDocumentActionMove the selected documents to the TrashremoveDocumentActionTrashContextDelete the selected documents from the TrashrestoreRestoreRestore DocumentsrestoreDocumentActionRestore the selected documents to their original locationRemove from FolderremoveFromFolderActionRemove the selected documents from this folderRename Document Files...renameDocumentActionfolder-addCreate FolderNew Folder...newFolderActionCreate a new folderNew GroupNew Group...newGroupActionCreate a new groupfolder-removeRemove CollectionRemoveCollectionActionRemove the current collectioneditSettingsActionRename Collection...renameFolderActionmagnifiercatalogSearchActionMendeley Catalog Searchrelated-documentsRelatedrecommendActionRecommend related documentsSyncSynchronize LibrarysynchronizeActionSynchronize your library with Mendeley WebHelpHelp ContentshelpActionOpen the Online Help Guide for MendeleyFindfindActionFind NextfindNextActionFind PreviousfindPreviousActionselectAllActionciteCitesendCitationActionSend citation to plugincancelcancelCitationActionCancel sending citation to pluginEdit...editDocumentActionactionNotDuplicatesUpdate DetailslookupMetadataActionfullscreenFullscreenfullScreenActionzoomActionzoom-inZoom InzoomInActionzoom-outZoom OutzoomOutActionrotate-leftRotate LeftrotateAnticlockwiseActionrotate-rightRotate RightrotateClockwiseActionpanPanpanActionfit-pageFit to PagezoomModeFitPageActionfit-widthFit to WidthzoomModeFitWidthActionzoomModeCustomselectActionselect-rectangleSelect RectangleselectRectangleActionselect-textSelectSelect TextselectFlowActionColorSelect ColorselectColorActionhighlightActionhighlight-textHighlightHighlight TexthighlightTextActionhighlight-rectHighlight RectanglehighlightRectangleActionnoteNoteAdd NoteaddNoteActioncopyActionpasteAction:/icons/64x64/actions/%1/%2.png:/icons/toolbar/%1/%2.png:/icons/toolbar/%1/%2-active.png:/icons/16x16/actions/%1.png
Source: cd.exe String found in binary or memory: The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.
Source: cd.exe String found in binary or memory: Try '%ls --help' for more information.
Source: cd.exe String found in binary or memory: Try '%ls --help' for more information.
Source: cd.exe String found in binary or memory: Commands : /install - Installs Steam Client Service
Source: cd.exe String found in binary or memory: /installscript <file> <appid> - Runs a Steam game install script
Source: cd.exe String found in binary or memory: /installscript
Source: cd.exe String found in binary or memory: /installscript failed on: %s: %d
Source: cd.exe String found in binary or memory: /install
Source: cd.exe String found in binary or memory: /install service install failed
Source: cd.exe String found in binary or memory: /setupsteam <command line> - Runs SteamSetup.exe/hide/installscript/installscript failed on: %s: %d
Source: cd.exe String found in binary or memory: /install/install service install failed
Source: cd.exe String found in binary or memory: /Install
Source: cd.exe String found in binary or memory: /Stop
Source: cd.exe String found in binary or memory: /Stop
Source: cd.exe String found in binary or memory: /Install/Uninstall/Start/Stop/RunAsService
Source: cd.exe String found in binary or memory: /Install/Uninstall/Start/Stop/RunAsService
Source: cd.exe String found in binary or memory: /Install/Uninstall/Start/Stop/RunAsService
Source: cd.exe String found in binary or memory: ,ZJAll AccessRead/WriteExecuteQuery ValueSet ValueCreate Sub KeyEnumerate Sub KeysNotifyCreate LinkWOW64_ResWOW64_32KeyWOW64_64KeyGeneric Read/Write/ExecuteGeneric Read/WriteGeneric Read/ExecuteGeneric Write/ExecuteGeneric ReadGeneric WriteGeneric ExecuteRead Data/List DirectoryWrite Data/Add FileAppend Data/Add Subdirectory/Create Pipe InstanceRead EAWrite EAExecute/TraverseDelete ChildRead AttributesWrite AttributesRead ControlWrite DACWrite OwnerSynchronizeAccess System SecurityMaximum Allowedkernel32.dllSD\fltlib.dll%llx%lf%s%07d%02u:%02u:%02u.%07u%02u:%02u:%02u%I64d0x%I64x-1%I64u KB MB GBWindows 2000Windows XPWindows XP x64Windows Server 2003Windows VistaWindows Server 2008Windows 7Windows Server 2008 R2Windows 8Windows Server 2012Windows 8.1Windows Server 2012 R2Windows 10Windows Server 2016Windows %d.%d (build %d.%d)%08x:%08x%02X64-bit32-bit%x:%x:%x:%x:%x:%x:%x:%x%d.%d.%d.%d:%d:None
Source: cd.exe String found in binary or memory: -help
Source: cd.exe String found in binary or memory: sun/launcher/LauncherHelper
Source: cd.exe String found in binary or memory: Error: Corrupt jvm.cfg file; cycle in alias list.ERRORError: Unable to resolve VM alias %sWarning: %s VM not supported; %s VM will be usedError: %s VM not supported-version-fullversion-help-?-jar-X-XX:NativeMemoryTracking=%s%d=%s%s%dTRACER_MARKER: NativeMemoryTracking: env var is %s
Source: cd.exe String found in binary or memory: sun/launcher/LauncherHelper(Z[B)Ljava/lang/String;makePlatformStringjava/lang/String(ZILjava/lang/String;)Ljava/lang/Class;checkAndLoadMain%ld micro seconds to load main class
Source: cd.exe String found in binary or memory: browser-startup-dialog
Source: cd.exe String found in binary or memory: enable-service-binary-launcher
Source: cd.exe String found in binary or memory: gpu-launcher
Source: cd.exe String found in binary or memory: gpu-sandbox-start-early
Source: cd.exe String found in binary or memory: gpu-startup-dialog
Source: cd.exe String found in binary or memory: ppapi-plugin-launcher
Source: cd.exe String found in binary or memory: ppapi-startup-dialog
Source: cd.exe String found in binary or memory: renderer-startup-dialog
Source: cd.exe String found in binary or memory: utility-startup-dialog
Source: cd.exe String found in binary or memory: gpu2-startup-dialog
Source: cd.exe String found in binary or memory: --start-crash-handler
Source: cd.exe String found in binary or memory: QVersionNumbera+CONOUT$--start-crash-handlerRadareOrgCutterQList
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: cd.exe Static file information: File size 3922432 > 1048576
Source: cd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\1\s\Win32\Release\logonsessions.pdb source: cd.exe
Source: Binary string: c:\stream\develop\Regionhunt.pdb source: cd.exe
Source: Binary string: D:\a\1\s\Win32\Release\RamMap.pdb source: cd.exe
Source: Binary string: D:\B\T\BuildResults\bin\Release\AcrobatInfo.pdb))) source: cd.exe
Source: Binary string: D:\B\T\BuildResults\bin\Release\AcrobatInfo.pdb source: cd.exe
Source: Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb666 source: cd.exe
Source: Binary string: C:\agent\_work\93\s\Win32\Release\autoruns.pdb source: cd.exe
Source: Binary string: D:\a\1\s\Win32\Release\adrestore.pdb source: cd.exe
Source: Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb source: cd.exe

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\cd.exe Unpacked PE file: 1.2.cd.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\cd.exe Unpacked PE file: 1.2.cd.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;aZAqrnJo:R;BGOllIzc:R;yQtoRARz:R;dZLJZOuu:R;sdDGHbsk:R;cQfsAIeK:R;nJjdtQIB:R;pcHOcQzM:R;wDcvvqlu:R;orXBiygL:R;AiZKCfrK:R;myoGvTPf:R;AVTlzkED:R;bzLENpIH:R;XcYnViEt:R;mbKhPZXg:R;lUpFJlcq:R;yiDSdvAK:R;tWLpgAgw:R;bTGdVUjl:R;ziIDaoXi:R;LzawvTwX:R;LnIDzdzd:R;wkCXpCGo:R;nqpeKqho:R;MRjgEOqy:R;JcLmCXgA:R;OtycdIdu:R;IbVOTdPC:R;FgFHDyjf:R;ybeqBvHg:R;IbzUQYJs:R;AQBgSYnS:R;XxFUmGWX:R;afVQQtfj:R;nwvMTysA:R;ZHPQhgLD:R;pxMMJkwk:R;JXHCNYcJ:R;lYRopDTG:R;bcYTpMaT:R;nuBezWiu:R;yPvpmSBg:R;OoEfGgTM:R;kYRGCWEC:R;ssiFbfZW:R;KHKSQqok:R;NcZcjaDP:R;mIUEylgT:R;lluFjCpP:R;BHqNuAAF:R;dWFkhiaJ:R;NeKPPFmp:R;mRaJxCpw:R;sjZRApAc:R;mJuapRBt:R;AUQwTDRB:R;Mzpcxreq:R;DQLewjlc:R;yQzDovRx:R;KsasGyWE:R;qALhWEsZ:R;EhLKChYp:R;juiuAwmE:R;FPCcnPuO:R;DQPOFovS:R;eeLebknr:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_0040322B push ecx; ret 1_2_0040323B
PE file contains sections with non-standard names
Source: cd.exe Static PE information: section name: aZAqrnJo
Source: cd.exe Static PE information: section name: BGOllIzc
Source: cd.exe Static PE information: section name: yQtoRARz
Source: cd.exe Static PE information: section name: dZLJZOuu
Source: cd.exe Static PE information: section name: sdDGHbsk
Source: cd.exe Static PE information: section name: cQfsAIeK
Source: cd.exe Static PE information: section name: nJjdtQIB
Source: cd.exe Static PE information: section name: pcHOcQzM
Source: cd.exe Static PE information: section name: wDcvvqlu
Source: cd.exe Static PE information: section name: orXBiygL
Source: cd.exe Static PE information: section name: AiZKCfrK
Source: cd.exe Static PE information: section name: myoGvTPf
Source: cd.exe Static PE information: section name: AVTlzkED
Source: cd.exe Static PE information: section name: bzLENpIH
Source: cd.exe Static PE information: section name: XcYnViEt
Source: cd.exe Static PE information: section name: mbKhPZXg
Source: cd.exe Static PE information: section name: lUpFJlcq
Source: cd.exe Static PE information: section name: yiDSdvAK
Source: cd.exe Static PE information: section name: tWLpgAgw
Source: cd.exe Static PE information: section name: bTGdVUjl
Source: cd.exe Static PE information: section name: ziIDaoXi
Source: cd.exe Static PE information: section name: LzawvTwX
Source: cd.exe Static PE information: section name: LnIDzdzd
Source: cd.exe Static PE information: section name: wkCXpCGo
Source: cd.exe Static PE information: section name: nqpeKqho
Source: cd.exe Static PE information: section name: MRjgEOqy
Source: cd.exe Static PE information: section name: JcLmCXgA
Source: cd.exe Static PE information: section name: OtycdIdu
Source: cd.exe Static PE information: section name: IbVOTdPC
Source: cd.exe Static PE information: section name: FgFHDyjf
Source: cd.exe Static PE information: section name: ybeqBvHg
Source: cd.exe Static PE information: section name: IbzUQYJs
Source: cd.exe Static PE information: section name: AQBgSYnS
Source: cd.exe Static PE information: section name: XxFUmGWX
Source: cd.exe Static PE information: section name: afVQQtfj
Source: cd.exe Static PE information: section name: nwvMTysA
Source: cd.exe Static PE information: section name: ZHPQhgLD
Source: cd.exe Static PE information: section name: pxMMJkwk
Source: cd.exe Static PE information: section name: JXHCNYcJ
Source: cd.exe Static PE information: section name: lYRopDTG
Source: cd.exe Static PE information: section name: bcYTpMaT
Source: cd.exe Static PE information: section name: nuBezWiu
Source: cd.exe Static PE information: section name: yPvpmSBg
Source: cd.exe Static PE information: section name: OoEfGgTM
Source: cd.exe Static PE information: section name: kYRGCWEC
Source: cd.exe Static PE information: section name: ssiFbfZW
Source: cd.exe Static PE information: section name: KHKSQqok
Source: cd.exe Static PE information: section name: NcZcjaDP
Source: cd.exe Static PE information: section name: mIUEylgT
Source: cd.exe Static PE information: section name: lluFjCpP
Source: cd.exe Static PE information: section name: BHqNuAAF
Source: cd.exe Static PE information: section name: dWFkhiaJ
Source: cd.exe Static PE information: section name: NeKPPFmp
Source: cd.exe Static PE information: section name: mRaJxCpw
Source: cd.exe Static PE information: section name: sjZRApAc
Source: cd.exe Static PE information: section name: mJuapRBt
Source: cd.exe Static PE information: section name: AUQwTDRB
Source: cd.exe Static PE information: section name: Mzpcxreq
Source: cd.exe Static PE information: section name: DQLewjlc
Source: cd.exe Static PE information: section name: yQzDovRx
Source: cd.exe Static PE information: section name: KsasGyWE
Source: cd.exe Static PE information: section name: qALhWEsZ
Source: cd.exe Static PE information: section name: EhLKChYp
Source: cd.exe Static PE information: section name: juiuAwmE
Source: cd.exe Static PE information: section name: FPCcnPuO
Source: cd.exe Static PE information: section name: DQPOFovS
Source: cd.exe Static PE information: section name: eeLebknr
Source: initial sample Static PE information: section name: .text entropy: 6.93749374769

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR
Source: C:\Users\user\Desktop\cd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: cd.exe Binary or memory string: IIRP_MJ_FASTIO_PROCMON.EXEPROCEXP.EXEAUTORUNS.EXESYSTEMPAGEFILE.SYS$MFT$MFTMIRR$LOGFILE$VOLUME$ATTRDEF$ROOT$BITMAP$BOOT$BADCLUS$SECURE$UPCASE$EXTENDFAST IOINCLUDEEXCLUDE<BAD>OKAY TO OVERWRITE EVENT LOG ''?AN ERROR OCCURRED OPENING THE SNAPSHOT ''APPLYING EVENT FILTEROPERATION CANCELLED: THE LISTVIEW DATA MAY BE INCOMPLETEPROCESS MONITOR CAN OPEN AT MOST BACKING FILES<PAGEFILE>YESNOEVENTPROCESSINDEXSTACKFRAMEDEPTHADDRESS + PATHLOCATIONPROCESSPROCESSIDPARENTPROCESSIDPARENTPROCESSINDEXAUTHENTICATIONIDCREATETIMEFINISHTIMEISVIRTUALIZEDIS64BITINTEGRITYOWNERPROCESSNAMECOMMANDLINECOMPANYNAMEVERSIONDESCRIPTIONMODULELISTMODULETIMESTAMPBASEADDRESSSIZECOMPANYPROCESS MONITOR - EXPORTING EVENT DATAWT, CCS=UTF-8"%S"

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_004359CA mov eax, dword ptr fs:[00000030h] 1_2_004359CA
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_0043559C push dword ptr fs:[00000030h] 1_2_0043559C
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_008004F4 mov eax, dword ptr fs:[00000030h] 1_2_008004F4
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_008000C6 push dword ptr fs:[00000030h] 1_2_008000C6
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_00401873 GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,LdrInitializeThunk, 1_2_00401873
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_00402F32 InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError, 1_2_00402F32
Source: cd.exe Binary or memory string: Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Reader /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplication{A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0DC\InstallerENU_GUIDPATHInstallLocationAcroExch.Document.DC.pdfTrunk{AC76BA86-0000-0000-7760-7E8A45000000}BetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonAcrobat.Document.SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.11.pdfSOFTWARE\Google\Chrome\NativeMessagingHosts\.com.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorLowerCoExVersionSOFTWARE\Adobe\Adobe Acrobat\DC\InstallerCoExRepairDone\NotificationAppxSOFTWARE\Adobe\Acrobat Reader\\DC\SOFTWARE\Adobe\Acrobat Reader\\DC\Installer\AppVersionAppVersionINSTALLUWPAPP=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 /qn/i msiexec.exe ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeAppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstoreAdobe Reader XIRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrd
Source: cd.exe Binary or memory string: Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Acrobat /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplicationSOFTWARE\Adobe\Adobe Acrobat\{A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-BA7E-7E8A45000000}VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\.0DC\InstallerENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdfTrunk{AC76BA86-0000-0000-7760-7E8A45000000}BetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonAcrobat.Document.SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.11.pdfSOFTWARE\Google\Chrome\NativeMessagingHosts\.com.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorLowerCoExVersionSOFTWARE\Adobe\Adobe Acrobat\DC\InstallerCoExRepairDone\RDCNotificationAppx\ADCNotificationAppx\NotificationAppxSOFTWARE\Adobe\Adobe Acrobat\\DC\SOFTWARE\Adobe\Adobe Acrobat\\DC\Installer\AppVersionAppVersionINSTALLUWPAPP=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 IS_COEX_REPAIR=1 /qn/i msiexec.exe/i AppDoNotTakePDFOwnershipAtLaunch ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qnmsiexec.exeAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Dev
Source: C:\Users\user\Desktop\cd.exe Code function: 1_2_00401342 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 1_2_00401342

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR
Yara detected PsExec sysinternal tool
Source: Yara match File source: cd.exe, type: SAMPLE