Windows Analysis Report cd.exe

AV Detection:

Multi AV Scanner detection for submitted file

Source: cd.exe

ReversingLabs: Detection: 60%

Machine Learning detection for sample

Source: cd.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.cd.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 1.3.cd.exe.82998c.0.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\cd.exe

Unpacked PE file: 1.2.cd.exe.400000.0.unpack

Uses 32bit PE files

Source: cd.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.139.96:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.139.96:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.102.106:443 -> 192.168.2.6:49751 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: D:\a\1\s\Win32\Release\logonsessions.pdb source: cd.exe
Source:	Binary string: c:\stream\develop\Regionhunt.pdb source: cd.exe
Source:	Binary string: D:\a\1\s\Win32\Release\RamMap.pdb source: cd.exe
Source:	Binary string: D:\B\T\BuildResults\bin\Release\AcrobatInfo.pdb))) source: cd.exe
Source:	Binary string: D:\B\T\BuildResults\bin\Release\AcrobatInfo.pdb source: cd.exe
Source:	Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb666 source: cd.exe
Source:	Binary string: C:\agent\_work\93\s\Win32\Release\autoruns.pdb source: cd.exe
Source:	Binary string: D:\a\1\s\Win32\Release\adrestore.pdb source: cd.exe
Source:	Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb source: cd.exe

Spreading:

Found PSEXEC tool (often used for remote process execution)

Source: cd.exe

String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49737 -> 173.239.8.164:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49737 -> 173.239.8.164:80
Source: Traffic	Snort IDS: 2030821 ET MALWARE Win32/Zonebac Traffic Redirect 192.168.2.6:49737 -> 173.239.8.164:80

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WEBAIR-INTERNETUS WEBAIR-INTERNETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Yara detected PsExec sysinternal tool

Source: Yara match

File source: cd.exe, type: SAMPLE

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 173.192.101.24 173.192.101.24
Source: Joe Sandbox View	IP Address: 173.192.101.24 173.192.101.24

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Found strings which match to known social media urls

Source: msapplication.xml0.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: re currently viewing and your location (ad serving is based on general location). Personalised content and ads can be based on those things and your activity, like Google searches and videos that you watch on YouTube. Personalised content and ads include things like more relevant results and recommendations, a customised YouTube homepage, and ads that are tailored to your interests.</div><div class="yS1nld">Click 'Customise' to review options, including controls to reject the use of cookies for personalisation and information about browser-level controls to reject some or all cookies for other uses. You can also visit <span>g.co/privacytools</span> at any time.</div></div></div></div><div class="VDity"><button class="tHlp8d" id="VnjCcb" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQiJAHCBo"><div class="jyfHyd" role="none">Customise</div></button><button class="tHlp8d" id="L2AGLb" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQiZAHCBs"><div class="jyfHyd" role="none">I agree</div></button></div><div class="XWlrff"><style>.XWlrff{margin:20px;display:flex;flex-direction:row;justify-content:center;position:absolute;bottom:0;right:0;left:0}.peRL2e,.o9D5Zb{color:#70757a;text-decoration:none}.o9D5Zb{margin:0 10px}.XWlrff{margin:18px auto 20px;position:relative}@media (max-width:320px){.peRL2e{font-size:11px}}@media (max-height:480px){.XWlrff{margin-bottom:10px}}</style><a class="peRL2e" href="https://policies.google.com/privacy?hl=en-GB&amp;fg=1&amp;utm_source=ucbs" id="RP3V5c" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQj5AHCBw">Privacy</a><div class="o9D5Zb" aria-hidden="true">&middot;</div><a class="peRL2e" href="https://policies.google.com/terms?hl=en-GB&amp;fg=1&amp;utm_source=ucbs" id="HQ1lb" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQkJAHCB0">Terms</a></div></div></div></span></div></div><script nonce="sBDQvviEJYE6GoG6F/T2Gw==">(function(){var consentCookiePayload='YES+shp.gws-20210909-0-RC2.en+FX+509';var nidCookiePayload='223\x3dao_PNWYHKNRTKr72m4usLcTnJh9tuvM0SumQjLr2NpAzZjJRtiknK0gCmTBXLOnKGQSjcjc7q7fXQyHh5YsCZxvbJHtqG4tUjigGnPyvRGQzyKRILvDlG4HWUN7F5Jpi_nHXn1ESCCOSvi8kY-pjocaxP4tq4OrC3-8IjbCQNp0';var cookieDomain='.google.com';var cookieUpdateConsentUrl='https://consent.google.com/s?continue\x3dhttps://www.google.com/?gws_rd%3Dssl\x26gl\x3dGB\x26m\x3d0\x26pc\x3dshp\x26uxe\x3dnone\x26v\x3dshp.gws-20210909-0-RC2.en%2BFX%2B509\x26ca\x3de\x26x\x3d5\x26t\x3dADw3F8gQkSzvPQQLJeh4nXGqegxVPXiLSQ:1631628204516';var sIU='https://accounts.google.com/ServiceLogin?hl\x3den\x26continue\x3dhttps://www.google.com/?gws_rd%3Dssl\x26gae\x3dcb-none';var cU='https://consent.google.com/d?continue\x3dhttps://www.google.com/?gws_rd%3Dssl\x26gl\x3dGB\x26m\x3d0\x26pc\x3dshp\x26uxe\x3dnone\x26hl\x3den\x26src\x3d2';var pC='SEARCH_HOMEPAGE';var gL='GB';var isMobile=false;var srp=false; equals www.youtube.com (Youtube)

URLs found in memory or binary data

Source: LM1X3BMT.htm.9.dr	String found in binary or memory: http://agoogleaday.com/%23date%3D2011-06-04
Source: cd.exe	String found in binary or memory: http://citationstyles.org/
Source: cd.exe	String found in binary or memory: http://creativecommons.org/licenses/by-sa/3.0/
Source: ~DFFAD0E470126C2D77.TMP.7.dr, index[1].htm.9.dr	String found in binary or memory: http://google.com
Source: 1G7O03DV.htm.9.dr, ~DFFAD0E470126C2D77.TMP.7.dr	String found in binary or memory: http://menehleibe.com/
Source: {F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.dr	String found in binary or memory: http://menehleibe.com/Root
Source: cd.exe	String found in binary or memory: http://p.yusukekamiyamane.com/
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: http://schema.org/WebPage
Source: cd.exe	String found in binary or memory: http://support.mendeley.com/customer/portal/articles/227955
Source: 1G7O03DV.htm.9.dr	String found in binary or memory: http://ww9.menehleibe.com/
Source: msapplication.xml.7.dr	String found in binary or memory: http://www.amazon.com/
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	String found in binary or memory: http://www.broofa.com
Source: msapplication.xml1.7.dr, 0V71R0V5.htm.9.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.7.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.7.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.7.dr	String found in binary or memory: http://www.reddit.com/
Source: cd.exe	String found in binary or memory: http://www.sysinternals.com
Source: cd.exe	String found in binary or memory: http://www.sysinternals.comFileVersionLegalCopyright
Source: cd.exe	String found in binary or memory: http://www.sysinternals.comWindowPositionSOFTWARE
Source: cd.exe	String found in binary or memory: http://www.sysinternals.comopenConnection
Source: cd.exe	String found in binary or memory: http://www.sysinternals.comopenFolder
Source: msapplication.xml5.7.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.7.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.7.dr	String found in binary or memory: http://www.youtube.com/
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://accounts.google.com/ServiceLogin?hl
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://adservice.google.com/adsid/google/ui
Source: LM1X3BMT.htm.9.dr, rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	String found in binary or memory: https://apis.google.com
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://artsandculture.google.com/partner/museo-reina-sofia
Source: cd.exe	String found in binary or memory: https://citationstyles.org
Source: cd.exe	String found in binary or memory: https://clients2.google.com/service/update2/crxupdate_urlBrowser
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://consent.google.com/d?continue
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://consent.google.com/s?continue
Source: cd.exe	String found in binary or memory: https://crashpad.chromium.org/
Source: cd.exe	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: cd.exe	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: cd.exe	String found in binary or memory: https://csl.mendeley.com
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://donate.google.com/checkout?campaignid%3D6420545008435200
Source: imagestore.dat.9.dr	String found in binary or memory: https://gertrk.com/favicon.ico
Source: ~DFFAD0E470126C2D77.TMP.7.dr	String found in binary or memory: https://gertrk.com/nlp/index.php?url_bnm_redirect=http://google.com
Source: {F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.dr	String found in binary or memory: https://gertrk.com/nlp/index.php?url_bnm_redirect=http://google.comRoot
Source: cd.exe	String found in binary or memory: https://github.com/Juris-M/citeproc-js
Source: cd.exe	String found in binary or memory: https://github.com/citation-style-language/styles
Source: cd.exe	String found in binary or memory: https://ims-na1-stg1.adobelogin.com
Source: cd.exe	String found in binary or memory: https://ims-prod06.adobelogin.com
Source: cd.exe	String found in binary or memory: https://lcs-cops-dev.adobe.io
Source: cd.exe	String found in binary or memory: https://lcs-cops-dev.adobe.iohttps://lcs-cops-stage.adobe.iohttps://lcs-cops.adobe.iohttps://lcs-rob
Source: cd.exe	String found in binary or memory: https://lcs-cops-stage.adobe.io
Source: cd.exe	String found in binary or memory: https://lcs-cops.adobe.io
Source: cd.exe	String found in binary or memory: https://lcs-robs-dev.adobe.io
Source: cd.exe	String found in binary or memory: https://lcs-robs-stage.adobe.io
Source: cd.exe	String found in binary or memory: https://lcs-robs.adobe.io
Source: cd.exe	String found in binary or memory: https://lcs-ulecs-dev.adobe.io
Source: cd.exe	String found in binary or memory: https://lcs-ulecs-stage.adobe.io
Source: cd.exe	String found in binary or memory: https://lcs-ulecs.adobe.io
Source: cd.exe	String found in binary or memory: https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-I
Source: d4a6d4bd[1].htm.9.dr	String found in binary or memory: https://mybetterdl.com/aS/feedclick?s=PmRMc57CnhYhj70e-I9ky5kfJerKhwxlfSMU3tyux_x5AGZrWUPSJmPzN2c9f2
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://ogs.google.com/widget/app/so?bc=1
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://ogs.google.com/widget/callout?prid=19025503
Source: cd.exe	String found in binary or memory: https://plasma.kde.org
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://policies.google.com/privacy?hl=en-GB&fg=1&utm_source=ucbs
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://policies.google.com/terms?hl=en-GB&fg=1&utm_source=ucbs
Source: cd.exe	String found in binary or memory: https://rrchnm.org/
Source: cd.exe	String found in binary or memory: https://service.elsevier.com/app/answers/detail/a_id/19601/kw/connectivity/supporthub/mendeley/1setU
Source: cd.exe	String found in binary or memory: https://service.elsevier.com/app/answers/detail/a_id/19611/kw/duplicates/supporthub/mendeley/Yes
Source: cd.exe	String found in binary or memory: https://service.elsevier.com/app/answers/detail/a_id/22094/kw/migrate/supporthub/mendeley/
Source: cd.exe	String found in binary or memory: https://service.elsevier.com/app/contact/supporthub/mendeley?dgcid=Mendeley_Desktop_Help-menu-Contac
Source: cd.exe	String found in binary or memory: https://service.elsevier.com/app/home/supporthub/mendeley/?dgcid=Mendeley_Desktop_Help-menu-FAQ
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://trends.google.com/hottrends
Source: cd.exe	String found in binary or memory: https://www.elsevier.com/legal/elsevier-website-terms-and-conditions
Source: cd.exe	String found in binary or memory: https://www.elsevier.com/legal/privacy-policy
Source: cd.exe	String found in binary or memory: https://www.gmu.edu/
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.google.co.uk/intl/en/about/products
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.google.com
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.google.com/?gws_rd%3Dssl
Source: ~DFFAD0E470126C2D77.TMP.7.dr	String found in binary or memory: https://www.google.com/?gws_rd=ssl
Source: ~DFFAD0E470126C2D77.TMP.7.dr	String found in binary or memory: https://www.google.com/?gws_rd=ssl_bnm_redirect=http://google.com
Source: {F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.dr	String found in binary or memory: https://www.google.com/?gws_rd=ssl_bnm_redirect=http://google.com/?gws_rd=ssl
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.google.com/_/og/promos/
Source: {F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.dr	String found in binary or memory: https://www.google.com/index.php?url_bnm_redirect=http://google.com/?gws_rd=ssl_bnm_redirect=http://
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.google.com/search?gws_rd%3Dssl%26q%3Dnebulae%26um%3D1%26ie%3DUTF-8%26tbm%3Disch%26csf%3D
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.google.com/url?q=https://www.google.com/chrome/download-chrome-for-search/%3Fbrand%3DOKW
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/search_black_24dp.png
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.auSrFW-FX90.O/rt=j/m=qabr
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.auSrFW-FX90.O/rt=j/m=qdsh/d=1/ed=1/rs=AA2YrTtiIgpyWC3
Source: LM1X3BMT.htm.9.dr	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.wtXa61WU3WQ.L.X.O/m=qcwid/excm=qaaw
Source: cd.exe	String found in binary or memory: https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding
Source: cd.exe	String found in binary or memory: https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite
Source: cd.exe	String found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guides
Source: cd.exe	String found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guideshttps://www.mendeley.com
Source: cd.exe	String found in binary or memory: https://www.mendeley.com/library
Source: cd.exe	String found in binary or memory: https://www.mendeley.com?dgcid=Mendeley_Desktop_Help-menu-website
Source: cd.exe	String found in binary or memory: https://www.sysinternals.comntdllRtlInitUnicodeStringNtOpenDirectoryObjectNtQuerySectionNtQueryDirec
Source: cd.exe	String found in binary or memory: https://www.virustotal.com/about/terms-of-service%s
Source: cd.exe	String found in binary or memory: https://www.virustotal.comPOST4e3202fdbe953d628f650229af5b3eb49cd46b2d3bfe5546ae3c5fa48b554e0capikey
Source: cd.exe	String found in binary or memory: https://www.zotero.org/

Posts data to webserver

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateHost: menehleibe.comContent-Length: 12Connection: Keep-AliveCache-Control: no-cacheData Raw: 69 63 3d 30 26 66 62 3d 74 72 75 65 Data Ascii: ic=0&fb=true

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: menehleibe.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /aS/feedclick?s=PmRMc57CnhYhj70e-I9ky5kfJerKhwxlfSMU3tyux_x5AGZrWUPSJmPzN2c9f2E7_vAN-6p8GpmDZG8TCuTZ6pDoEwlyap2kZsgzB4lH00ug8e5ExIzs-GByJkw_hnoLHWVUL2gXgUyatsBFMaSTc1RQ5RxkQPBqyyTn3ctXNy_0uSHRSxkmOy8VHMc85GIOT4jmse8Hco-FpMlb9RHx56VxjN2QtFN197vLrfkZ9qE509t5aRYfk0fTaZIGwGtVFx6Cjc1It8vKVodI2QoCnLeLuzBqxrSYHinyRIiR6SzTXaBf9PH6fc538M5WEvMvhjauUHGubj961r75KUjKtSXnHatHqEuiyuTMyWjRyjCKMGCurZS8_bcUa4tJgkiTyXdC5k_Q4CBuzEhgKlo_tO4ZCxjCqbxJk5Qzkw_MwwsEKwa-Bh_puw260HEYWHbHAxhhGdlJM-I_t1xxhVv3SQmb2uwb95RlGM7AqpOHVVF6EgPkt4a55MyZVnXuVkgrUl1akVOciihIlqaZoSoe2Ylzr70WFqgr6AhoabQSBzCjuJYNp4gwUYV0VWvRZajmUWO_Vxo8ML-hjUsrPH807AqUmDxuY4v8inEoo-y-qnyU06p2Uh3Pw9YdNYD58IK4CKCGcA-Uam9dcss-T-5Iub4J15H67wFZ2snzzWpWzEKC9XUORoe_dbnEgAhHx_n7Z4tVOYdW5lW6ruDPqaeHc0uzcTU9bgm_in-W2l5vorxPFmQaTFIcy4B5guOnMJ5yZHLQD576xYWbP03aM83dTwE3kMpnzCC1V5B-3hXd5pzfx17GSZUu2KHXImolykrmTazGZKmMBhE5rzai4ARXglTM7lPAlIssdjgnlOgBObVnL6dMrNPV4wycVX3s5OxtJMXedCWE2r5biNOcX3y5Pmw-0BUdBZv7MvlSTP2Fk9AaabOem2Q73GpjsG_dwXVnUc2FH6zZuqWu2Dli66C-XucADfX2tBPlR3prQOfp40mttv00_iCR6q6fLI9QZgGY11WgfO3qdEgV2xwoj0eGTIxBicwTEMicE9X3AYQsCpAEn3pdnGSoQpHTA7Kz9fo94mKnTULy2teQgTesP9hhxLreOeHrbCzwHSSbH-FJZx15JZAYCxI8gV6bvS4IWlDg_vysGgTqrjiFCjhA5kocz54NYxtQVvyXSZspRWMKjI1QYN8ennj2JVFvWfYyzeLbGr1ovqBCtNBvJi2ztcTgBlsW0SM8XIsRgd4QMcWZcycyUPzb9Wd1bDxFTAWmSXH43ynD5UObBi5FyNDw8qKKmoCnfedHiztWYQxKotKUGaKd1m_k2iMIc5SBU1Vi7-MGW4_Mi4WYIzJL61eBLaioPhng2BQ6PDt8aAWdDMho29RkRFHVPIQb3W3nWMGo8srLOHYnfrFRuEDgcm6cqkr2IQD0T7sB-GexA77NdWEi2cdlkkLEB146pQ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: mybetterdl.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /adServe/domainClick?ai=qR193HoKV_skvRDJ1Xl7Z2EMSqLSlBmindZv5NojCHOwn03uCMUnWWP1f_rG7YbjKg1peh-_obzBIj3uZHPpnj9EVoFzCvr6nUsZVZhWVPP-29LJmEHdmZ7b6Qy9a1mHTiLNxNNj-331YCaynPT02WREUdU8hBvdAVtzW-BnG_JiVnQIGgxQDiU7ugF2M-yuSZspRWMKjI0oZaL4_NY6BA8B78vhYDGtjMUdyxHqWTbxnarhY6PRQCoyupr1mhPBjhdEqJB6Nj2XmDvYXWw9hp-qFZn5gpnPqtE9sbJicJwX2fEbVjxB9kp2QAzznS8_6fjhgUFt3sQISiZ3D8mF7LCm2HeI0S938_gGwpSXr3tSAMcY_H2x07HFovOGSDpNKiXhLmiyflhHQ2DhJtv57Pgpt-TBvcxCEwrLEAaOW_go6oM85zEqQcFJgSFbjHo8VjLddbnKrYw&ui=PmRMc57CnhbNSfHhL5kCGmvi5v6ZZrF7dLiTNq3P25qokS0sVeF3FkXI0PDyooqap4CS6zytrLbvtEDBZZLJWA-odODn3W3LTPqV0hvm1VqP--qZkGGf_8AXd3hExnhV&si=1&oref=a606ca39dc85b39bdaa2bf88832fa198&optunit=SZspRWMKjI3Y6yHw-JV9WQ&rb=mhdAWEBiphk&rr=1&abtg=0 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: p226681.mybetterdl.comCookie: rhid=79630578833
Source: global traffic	HTTP traffic detected: GET /click.php?key=qxr7sx5xq96osnrqgm1a&subid=87057224030&bid=0.025&site=413999995&source=413999995&clickid=87057224030&browser=Internet+Explorer+11&geo=CH&campaign_name=CH&device=Desktop&os=Windows+10 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: gertrk.com
Source: global traffic	HTTP traffic detected: GET /nlp/index.php?url_bnm_redirect=http://google.com HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: gertrk.comCookie: uclick=16bzxofy; uclickhash=16bzxofy-16bzxofy-h9-0-ci-wh-4p-268f1c
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gertrk.comConnection: Keep-AliveCookie: uclick=16bzxofy; uclickhash=16bzxofy-16bzxofy-h9-0-ci-wh-4p-268f1c
Source: global traffic	HTTP traffic detected: GET /?gws_rd=ssl HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.google.com
Source: global traffic	HTTP traffic detected: GET /images/branding/googlelogo/2x/googlelogo_color_272x92dp.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.google.com/?gws_rd=sslAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.google.comConnection: Keep-AliveCookie: CONSENT=PENDING+509
Source: global traffic	HTTP traffic detected: GET /gen_204?ei=rKtAYY2rHY25kwWZrp3YAw&vet=10ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQhJAHCBQ..s&gl=GB&pc=SEARCH_HOMEPAGE&isMobile=false HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.google.com/?gws_rd=sslAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.google.comConnection: Keep-AliveCookie: CONSENT=PENDING+509
Source: global traffic	HTTP traffic detected: GET /images/searchbox/desktop_searchbox_sprites318_hr.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.google.com/?gws_rd=sslAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.google.comConnection: Keep-AliveCookie: CONSENT=PENDING+509
Source: global traffic	HTTP traffic detected: GET /images/bjM3gVEtKlUeWm2NnKw3/UycpbcugJuZhqNGVGh8/kwk4esZ_2F2xjDYD_2BSa_/2F328cjxY6AQM/kA5SneVc/JKL1AVTBXoV77D1JaKVgbri/d8lSYHOR5C/_2FOPoUzuMMso_2Bp/A_2Ffbx4wppa/aSm6IWIjM6R/Y44GbYY.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: menehleibe.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: menehleibe.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.google.com

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.139.96:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 168.119.139.96:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.102.106:443 -> 192.168.2.6:49751 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR

System Summary:

Writes or reads registry keys via WMI

Source: C:\Users\user\Desktop\cd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\cd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\cd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Users\user\Desktop\cd.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\cd.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\cd.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: cd.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Detected potential crypto function

Source: C:\Users\user\Desktop\cd.exe

Code function: 1_2_0040323C

1_2_0040323C

Contains functionality to call native functions

Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_00401873 GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,LdrInitializeThunk,		1_2_00401873
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_0040171A NtMapViewOfSection,RtlNtStatusToDosError,		1_2_0040171A
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_0040202A NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,		1_2_0040202A
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_004022D1 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,memset,		1_2_004022D1
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_004020E9 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,LdrInitializeThunk,GetModuleHandleA,LdrInitializeThunk,memcpy,		1_2_004020E9
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_00402F98 memset,memcpy,NtSetContextThread,LdrInitializeThunk,RtlNtStatusToDosError,GetCalendarWeekNumber,GetLastError,		1_2_00402F98
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_00401646 NtGetContextThread,LdrInitializeThunk,RtlNtStatusToDosError,		1_2_00401646
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_00402550 NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,memset,LdrInitializeThunk,LdrInitializeThunk,memcpy,		1_2_00402550
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_0040345D NtQueryVirtualMemory,		1_2_0040345D
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_004018E5 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,		1_2_004018E5
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_004031F0 NtGetContextThread,		1_2_004031F0
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_004012A3 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,		1_2_004012A3

Sample file is different than original file name gathered from version info

Source: cd.exe	Binary or memory string: zD%s\service_log.txtERROR! %s %s : %s%s\StringFileInfo\040904b0\OriginalFilename\installpath_SkipServiceVerificationChecks%s\bin\service_minimum_versions.vdf%s\service_minimum_versions.vdfVersion file missing or corrupt: %s vs cd.exe
Source: cd.exe	Binary or memory string: M\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs cd.exe

PE file contains more sections than normal

Source: cd.exe

Static PE information: Number of sections : 71 > 10

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: cd.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Sample is known by Antivirus

Source: cd.exe

ReversingLabs: Detection: 60%

PE file has an executable .text section and no other executable section

Source: cd.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\cd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\cd.exe 'C:\Users\user\Desktop\cd.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4568 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4568 CREDAT:17410 /prefetch:2			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\cd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F14FAF2F-15AF-11EC-90E5-ECF4BB2D2496}.dat

Jump to behavior

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF1C6E09CA4CF5EBDD.TMP

Jump to behavior

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Source: cd.exe	Binary string: Sysinternals RocksRtlNtStatusToDosErrorntdll.dllRtlInitUnicodeStringNtOpenFileNtFsControlFile\Device\Srv2\Device\LanmanServer\Device\LanmanRedirector\%s\ipc$Use PsKill to terminate the remotely running program.
Source: cd.exe	Binary string: HNtOpenKeyExNtCreateKey: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\registry_dispatcher.ccConsider modifying policy using this policy rule: REG_ALLOW_ANYNtOpenKey: STATUS_ACCESS_DENIED\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dll
Source: cd.exe	Binary string: A@\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dll
Source: cd.exe	Binary string: A4057363broker_pdfshell_sh/if/id %uAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exe\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Software\Adobe\Acrobat Reader\DC\FeatureStateSoftware\Adobe\Adobe Acrobat\DC\FeatureState
Source: cd.exe	Binary string: zl`l@`l@aFatlTraceGeneral\??\\Device\\\?\UNC\\??\UNC\/?/UNC/atlTraceCOM\?\UNC\\??\pipe\\??\mailslot\atlTraceQI\\?\\\.\\\atlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib:Invalid DateTimeInvalid DateTimeSpanMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exception (cont.) (cont.)Math overflow exceptionrSOFTWARE\Adobe\AcroPerfMath overflow exceptionbLaunchTimingMath overflow exceptionbExtendedProfilingMath overflow exceptionbDetailedHandlerProfilingMath overflow exceptiontOutputDirMath overflow exceptionMath overflow exceptionlabeled blockMath overflow exceptionMath overflow exceptionbFilemonMarkersrP[h`+Md[h
Source: cd.exe	Binary string: FNtCreateSection: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\signed_dispatcher.ccreal_path: NtOpenSection: STATUS_ACCESS_DENIED\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dll
Source: cd.exe	Binary string: M\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\SystemTopicsSysItemsSystemFormatsCF_TEXTStatusReadyHelpYou are connected to Adobe Acrobat.ReturnMessage
Source: cd.exe	Binary string: L\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Ntdll.dllNtQueryInformationProcessSTATIC_acroS_winAcroPDF.dllAcroPDFImpl.dllNPPdf32.dllPDFPrevHndlr.dllPDFPrevHndlrShim.dllPDFThumbHndlr.dllPDFShell.dllPDFPropHndlr.dllAcroSBL/b/id/id4057363/if%s_%lu_%lu/acGeckoPluginWindowplugin-container.exe4021007AcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeSTATICswBrowser|acr|\FNP_Act_Installer.dll|acr|\SynchronizerApp.exe|acr|\Javascripts\JSByteCodeWin.bin|acr|\AdobeUpdater.dll|sys|\ddraw.dll|sys|\dciman32.dllAdobeAcrobatSpeedLaunchCmdWndSOFTWARE\Adobe\Adobe Acrobat\DC\AcroSpeedLaunchAcrobatSDIWindowAdobeAcrobatAcrobatTimerWndAcrobat runningMcShieldAvSynMgrnavapsvcAntiVirServiceAVPekrnIsVirusCheckerPresentServicesActivefound servicerunningIsVirusCheckerPresent doneAbortWM_CLOSEerr in TimeoutOrExitWaitUntilTimeoutOrMustExitOrVirusCheckerPresenterr in checkerSetThreadPriority worker thread lownot all ops, go into vc modewaitingmsvcr100.dllmsvcp100.dlldo Opsworker throw!worker doneTerminate thread!
Source: cd.exe	Binary string: A\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ F] F]P
Source: cd.exe	Binary string: \\\?\.dll.apibad allocationSOFTWARE\Adobe\Adobe Acrobat\DC\InstallPathSOFTWARE\Adobe\Acrobat Reader\DC\InstallPath|ci||cpg||cc||cpt||cpe||cf||csu||cr||cst||cbb||csm||cdd||cdr||cn||cnh||cfo||ct||ccsm||ccp||ccs||ccd||cad||cph||cas||cca||ccf||cic||cco||ch||cmm||cla||ccad||cpf||cmp||cpfc||ccdc||crs||crl||ccam||cat||tmp||win||sys||root||ladl||acr||acrp||rdr||rdrp|An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.atlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinAcroUnloadStubMsgAcroReloadStubMsgAcrobatUnloadMsgAcrobatReloadMsgAcroStubUnloadWClassAcroStubUnloadWClassAcroStubUnloadWClassatlTraceNotImplatlTraceAllocationSOFTWARE\Adobe\Adobe Acrobat\DC\LanguageUISOFTWARE\Adobe\Adobe Acrobat\DC\LanguageUIAcroUnloadStubMsgAcroReloadStubMsgatlTraceExceptionAcroRd32.dllAcrobat.dllAcRd32_D.dllAcroDbg.dllSOFTWARE\Adobe\Adobe Acrobat\DC\appvatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibAcrobat.dllAcrobat32OL.dllSoftware\Adobe\Adobe Acrobat\DC\SecurityDEPSoftware\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDownbEnableATL7Compatkernel32.dllGetProcessDEPPolicykernel32.dllSetProcessDEPPolicyntdll.dllNtSetInformationProcess\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\AppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt /if/if pdfshell_prev/CRlaunchCEFInLowIntegrityAdobeAcrobatSpeedLaunchCmdWndAdobeReaderSpeedLaunchCmdWndAcrobat Viewer Safe DDEacrobat_sbxEDIT/if/CR/ac/actuser32.dllSetProcessDPIAwareacrobatres.dllAXE8SharedExpat.dll/dllLoad AppInitEventbProtectedModeSOFTWARE\Policies\Adobe\Adobe Acrobat\DCbIPMTurnedPMONbLastExitNormaliForceExitReasonSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\ExitSectionSoftware\Adobe\Adobe Acrobat\DC\ExitSectioniPMSilentOffiNumSessionsSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegediSessionThresholdiPMSilentOffSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegedbProtectedMode\x86\Acrobat\Acrobat.exe/dllLoadbLTEnableDLLOptimizationAdobe AcrobatSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdownDC_AcroAppTimerAcroExe load doneacrord32_super_sbx/if/ifpdfshell_prev/slModebAllowWindowCreationOnBrowserSoftware\Adobe\Adobe Acrobat\DC\PrivilegedUseSandboxModalWndReparenting/slModeopenSoftware\Adobe\Adobe Acrobat\DC\AVGeneraliSLExitTimeHighPartiSLExitTimeLowPartFatal ErrorAcrobat failed to load its Core DLLhttps://helpx.adobe.com/acrobat/kb/acrobat-failed-load-core-dll.htmlAcroWinMainSandbox\??\AcroviewA21CALS_PreflightDdeService\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device
Source: cd.exe	Binary string: fH', pattern = ', semantics = , subsystem = error = Failed to add sandbox rule.D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\sandbox_policy_base.ccinterceptions setup failed - error:process initialization failed - error:g_shared_delayed_integrity_levelg_shared_delayed_mitigationsCreateAppContainerToken\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ F]
Source: cd.exe	Binary string: #O\\.\\\?\CreateNamedPipe: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\named_pipe_dispatcher.ccname: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\invalid stoull argumentstoull argument out of range
Source: cd.exe	Binary string: Zh#M\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\dZh0
Source: cd.exe	Binary string: DEST\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Embed SourceEmbedded ObjectatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\AcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibCONTENTSPDFCONTENTSCONTENTS\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\atlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibGetOpenFileNameW`
Source: cd.exe	Binary string: M\Device\Mup\Device\\SystemRoot\\Device\LanmanRedirector\
Source: cd.exe	Binary string: NBrokerEvent0x%XFailed to construct job object for sandbox process - error:D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\broker_services.ccFailed to construct restricted tokens for sandbox process - error:4277065__security_cookieg_sandbox_winsta_handleg_sandbox_desktop_handleg_sandbox_main_thread_idg_broker_already_in_job_that_prohibits_breakawayg_is_compute_only_sandboxg_under_appv_virtualizationg_in_pm_appcontainerg_in_pv_appcontainer%sg_appcontainer_named_object_directory_handleg_appcontainer_object_dirg_broker_process_idFailed to add target - error:AcroBrokerSessionEndMsgListenerClassAcroBrokerSessionEndMsgListener\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe	Binary string: \\\?\.dll.apibad allocationSOFTWARE\Adobe\Adobe Acrobat\DC\InstallPathSOFTWARE\Adobe\Acrobat Reader\DC\InstallPath|ci||cpg||cc||cpt||cpe||cf||csu||cr||cst||cbb||csm||cdd||cdr||cn||cnh||cfo||ct||ccsm||ccp||ccs||ccd||cad||cph||cas||cca||ccf||cic||cco||ch||cmm||cla||ccad||cpf||cmp||cpfc||ccdc||crs||crl||ccam||cat||tmp||win||sys||root||ladl||acr||acrp||rdr||rdrp|An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.atlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinAcroUnloadStubMsgAcroReloadStubMsgAcrobatUnloadMsgAcrobatReloadMsgAcroStubUnloadWClassAcroStubUnloadWClassAcroStubUnloadWClassatlTraceNotImplatlTraceAllocationSOFTWARE\Adobe\Adobe Acrobat\DC\LanguageUISOFTWARE\Adobe\Adobe Acrobat\DC\LanguageUIAcroUnloadStubMsgAcroReloadStubMsgatlTraceExceptionAcroRd32.dllAcrobat.dllAcRd32_D.dllAcroDbg.dllSOFTWARE\Adobe\Adobe Acrobat\DC\appvatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibAcrobat.dllAcrobat32OL.dllAcroRd32.dllSoftware\Adobe\Adobe Acrobat\DC\SecurityDEPSoftware\Policies\Adobe\Acrobat Reader\DC\FeatureLockDownbEnableATL7Compatkernel32.dllGetProcessDEPPolicykernel32.dllSetProcessDEPPolicyntdll.dllNtSetInformationProcessAppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt /if/if pdfshell_prev/CRlaunchCEFInLowIntegrityAdobeAcrobatSpeedLaunchCmdWndAdobeReaderSpeedLaunchCmdWndAcrobat Viewer Safe DDEacrord32_sbxEDIT/if/CR/ac/actuser32.dllSetProcessDPIAware/pass bWasUserPassThroughedSoftware\Adobe\Acrobat Reader\DC\AVGeneralacrord32res.dllAXE8SharedExpat.dll/dllLoad AppInitEvent/dllLoadbLTEnableDLLOptimizationAcroExe load doneSOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockdownDCAcrobat Reader_AcroAppTimeracrord32_super_sbx/if/ifpdfshell_prev/slModebAllowWindowCreationOnBrowserUseSandboxModalWndReparentingSoftware\Adobe\Acrobat Reader\DC\Privileged/slModeSoftware\Adobe\Acrobat Reader\DC\AVGeneraliSLExitTimeHighPartiSLExitTimeLowPartFatal ErrorAcrobat failed to load its Core DLLhttps://helpx.adobe.com/acrobat/kb/acrobat-failed-load-core-dll.htmlopen\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\AcroWinMainSandboxAcroviewR21\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\unordered_map/set too longinvalid hash bucket count
Source: cd.exe	Binary string: ONtCreateFile: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\filesystem_dispatcher.ccreal path: NtOpenFile: STATUS_ACCESS_DENIEDNtQueryAttributesFile: STATUS_ACCESS_DENIEDNtQueryFullAttributesFile: STATUS_ACCESS_DENIEDNtSetInformationFile: STATUS_ACCESS_DENIED\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\kernel32.dll
Source: cd.exe	Binary string: 4`@dI0nI 7H\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\CONTENTSCONTENTSAcrobat DocumentPDFCONTENTSLink Source DescriptorLink Source DescriptorObject DescriptorObject DescriptorEmbed SourceEmbed SourceLink SourceLink SourceEmbedded ObjectEmbedded ObjectCustom Link SourceCustom Link SourceObjectLinkObjectLinkCF_BITMAPCF_ENHMETAFILECF_METAFILEPICTCF_DIBNotesDocInfoNotesDocInfoNoteshNoteNoteshNoteLink Source DescriptorObject DescriptorEmbedded ObjectEmbed SourceCustom Link SourceLink SourceObjectLinkNotesDocInfoNoteshNoteAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib
Source: cd.exe	Binary string: zl`l@`l@aFPDFMOutlook.PDFMOutlookSubjectEntryID\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe	Binary string: \"}{\LogTransport2.exeLogTransport2.exeNOVALUE\verclsid.exeverclsid.exe/S/C/I/XIMEPADSV.EXEEmbeddingimjpuex.exeimjpdct.exeifSharedPathModulePathSOFTWARE\Microsoft\IMEJPSOFTWARE\Microsoft\IMEJP\%s\directories\ime\shared\acrotray.exe/Q\acrodist.exe--UseSystemFonts--EditSecurity-C:7--HWND:-J/E/N/P/J/O.pdf.psupdatepvbpreferencepersistmachineiddontsendcreatedumpsendlogsolutionurlopenadobetermsandconditionsopensolutionurldummy\CRWindowsClientService.exeSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Photoshop.exeSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Illustrator.execImageEditorcObjectEditorSOFTWARE\Classes\Applications\mspaint.exe\shell\edit\commandbEnableEditUsingacrobat_sbxSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\notepad++.execJSEditorSOFTWARE\Classes\Applications\notepad.exe\shell\edit\commandD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\process_thread_dispatcher.ccexe name: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dll
Source: cd.exe	Binary string: AcroCEF\AcroCEF.exeAcroCEF.exeHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXT\Device\HarddiskVolumepipe\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\4202392~NtQueryObjectRtlNtStatusToDosErrorRtlCompareUnicodeString\Device\WinDFSA:CdmRedirectorVolume\Device\HarddiskVolumeDirectoryFileEventSectionKey<>:"\|?*Software\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDownbEnableSameObjectCheckbSupportRDSUPDSYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettingsUvhdEnabledbFilePathPreprocessingShortcutEnabled
Source: cd.exe	Binary string: {l`l@`l@aF\??\\Device\x
Source: cd.exe	Binary string: |l`l@`l@aFatlTraceGeneralatlTraceCOMatlTraceQI\??\atlTraceRegistrar\Device\\\?\UNC\atlTraceRefcount\??\UNC\/?/UNC/\?\UNC\atlTraceWindowing\??\pipe\\??\mailslot\\\?\atlTraceControls\\.\\\atlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPI%d.%u.%d/cr/bbEnforceReadRestrictionsSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdownbEnableAlternateLaunchDesktopSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdownbEnableAlternateTempDirectorySoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegedbEnableHeapMitigationsbEnableProcessIntegrityMitigationsbEnableEnhancedPolicyRestrictionsbEnableGlobalAtomRestrictionsbPreventCreatingExecutablesbEnableBinaryPlantingProtectionbDisableMultiplePrefetchiPMAppContainerStateSoftware\Adobe\Adobe Acrobat\DC\AVGeneraliSandboxExitCodeSoftware\Adobe\Adobe Acrobat\DC\AVGeneral\cSandboxLaunchFailureiOptionSelectediLastErrorValueiIsBrowserLaunchiIsCaptiveReaderLaunchiSandboxResultCodeiIsProtectedViewbIPMEnabledAppContainerpdfshell_prevbEnableStrictHandleCheckProtectionbEnableNonsystemFontRestrictionsbPVAppContainerFallback0x%XbEnableRemoteDllLoadRestrictionsbPMAppContainerFallbackiNumSessionsbEnableLowLabelDllLoadRestrictionsSoftware\Adobe\Adobe Acrobat\DC\AVGeneraliNumSessionsSoftware\Adobe\Adobe Acrobat\DC\AVGeneral\cSandboxLaunchFailure/if.Software\Adobe\Adobe Acrobat\DC\PrivilegedbEnableProtectedModeAppContainer/CRCoInitializeSecurity() failed, result=0xSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown/if/mspiPMAppContainerLaunchFailureFallbackSandbox Process Initialization Failed - error:/CRDebugbEnableProtectedViewAppContainer/ICSbEnableProtectedModeAppContainerbIPMTurnedPMONbPMSandboxFallbackbProtectedModeFailed to create a security descriptor4057363MbAllowFallbackForAdminEnforcedSandbox/b/l/ifDbEnableAppContainerForDebuggingbEnableProtectedModeAppContainer/idBSoftware\Adobe\Adobe Acrobat\DC\PrivilegedbProtectedModeHandshake with Sandbox Process FailedD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cppbProtectedMode/CRNoRemoveD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cppbProtectedMode/CRInvalid DateTimeSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegediPVAppContainerLaunchFailureFallbackReleaseInvalid DateTimeSpanbEnableProtectedViewAppContainer/CR:bEnableProtectedViewWin32kLockdownD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cppMakeScopedAbsoluteSd() failedAcrobatAppIDD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cpp/bAcroCEF\AcroCEF.exeCLSIDD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cppUnknown process type/r/VAcroCEF\RdrCEF.exeRdrCEF.exeAcroCEF.exe
Source: cd.exe	Binary string: O\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dllkernel32.dll
Source: cd.exe	Binary string: cadialhk.dllacpiz.dllactivedetect32.dllactivedetect64.dllairfoilinject3.dllakinsofthook32.dllassistant_x64.dllatcuf64.dllavcuf64.dllavgrsstx.dllbabylonchromepi.dllbtkeyind.dllcmcsyshk.dllcmsetac.dllcooliris.dllcplushook.dlldockshellhook.dlleasyhook32.dlleasyhook64.dllesspd.dllgoogledesktopnetwork3.dllfwhook.dllguard64.dllhookprocesscreation.dllhookterminateapis.dllhookprintapis.dllimon.dllicatcdll.dllicdcnl.dllioloHL.dllkloehk.dlllawenforcer.dlllibdivx.dlllvprcinj01.dllmadchook.dllmdnsnsp.dllmoonsysh.dllmpk.dlln64hooks.dllnpdivx32.dllnpggNT.desnpggNT.dllnphooks.dlloawatch.dllpastali32.dllpavhook.dllpavlsphook.dllpavshook.dllpavshookwow.dllpctavhook.dllpctgmhk.dllpicrmi32.dllpicrmi64.dllprntrack.dllprochook.dllprotector.dllradhslib.dllradprlib.dllrapportnikko.dllrlhook.dllrooksdol.dllrndlpepperbrowserrecordhelper.dllrpchromebrowserrecordhelper.dllr3hook.dllsahook.dllsbrige.dllsc2hook.dllsdhook32.dllsguard.dllsmum32.dllsmumhook.dllssldivx.dllsyncor11.dllsystools.dlltfwah.dllwblind.dllwbhelp.dllwindowsapihookdll32.dllwindowsapihookdll64.dllwinstylerthemehelper.dllD:\B\T\Imports\Open\Chrome\Chrome\src\services\service_manager\sandbox\win\sandbox_win.ccCreateAppContainerProfileSandbox container for Acrobat Reader Protected ModeAdobe Acrobat Reader DC Protected ModeAdobe.AcrobatReaderDC.ProtectedMode|bLTEnableConcurrencyInBrokerInit01DWSPY36.dll:1|CwComijt.dll:1|cscore.dll:1|vozokopot.dll:1|DreyeiMHook.dll:1|Dev2Dl32.dll:1|Nsccor01.dll:1|nsccor03.dll:1|DSTermPr.dll:1|jesterrun0.dll:1|DreyelMhook.dll:1|druver.dll:1|vpnlsp_x32.dll:1|msnhook.dll:1|hooker.dll:1|pcsw.dll:1|AntiExploitCore.dll:1|netchatidle.dll:1tDllLoadPermtDllLoadPerm_Computeonly4220220S-1-15-2-3805855342-111495108-2588610986-3809954156-747251120-2599371852-2534338891policy error:acrobat.dll\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\RtlInitUnicodeStringntdll.dll\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe	Binary string: NUnknownDefaultNtCreateFileNtOpenFileNtQueryAttributesFileNtQueryFullAttributesFileCreateNamedPipeWNtOpenThreadNtOpenProcessNtOpenProcessTokenNtOpenProcessTokenExCreateProcessWNtCreateKeyNtOpenKeyCreateThreadNtCreateSectioncompute-only-brokercompute-only-rendereripc-co-channelipc-rdr-channeltyperenderershell-broker-channelipc-cef-channellocaleservice-sandbox-typenonenone_and_elevatednetworkppapiutilitycdmprint_compositoraudiosharing_servicespeech_recognitionvideo_capturepdf_conversionproxy_resolverxr_compositingallow-no-sandbox-joballow-sandbox-debuggingdisable-gpu-sandboxdisable-namespace-sandboxdisable-seccomp-filter-sandboxdisable-setuid-sandboxdisable-win32k-lockdownenable-audio-service-sandboxgpu-sandbox-allow-sysv-shmgpu-sandbox-failures-fatalno-sandboxallow-third-party-modulesadd-gpu-appcontainer-capsno-sandbox-and-elevatedadd-xr-appcontainer-capsgpu-processnacl-brokernacl-loaderppapi-brokerppapiutilityservicezygotentdll.dll\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\@
Source: cd.exe	Binary string: A\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ControlH1`@dI0nIPdI\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\SystemTopicsSysItemsSystemFormatsCF_TEXTStatusReadyHelpYou are connected to Adobe Acrobat.ReturnMessage 2`@dI0nI 7Hp2`
Source: cd.exe	Binary string: GCreateEvent: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\sync_dispatcher.ccOpenEvent: STATUS_ACCESS_DENIEDConsider modifying policy using these policy rules: EVENTS_ALLOW_ANY\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe	Binary string: H\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\IsWow64Process2SetDefaultDllDirectoriesSetProcessMitigationPolicy\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\NtSetInformationProcesssecurity descriptor - error:D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\target_process.ccCreateProcessAsUserW failed to create sandbox process - error:job object - error:set thread token - error:g_shared_sectiong_shared_IPC_sizeg_shared_policy_size\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F]#B
Source: cd.exe	Binary string: >`\Device\FileInfo%s%s%c:Superfetchinfo: %x Data: %x
Source: cd.exe	Binary string: 3`@gI84`pfI\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe	Binary string: cCZECSYGREELLSUOFINPOLPLKRUMROMTURTRKMNGMONESPESN\Locale\\brdlang32.Software\Adobe\Adobe Acrobat\DC\Language\current\brdlang32SYSTEM\CurrentControlSet\Control\FileSystemLongPathsEnabled\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\`
Source: cd.exe	Binary string: cnullbooleanintegerdoublestringbinarydictionarylist\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe	Binary string: :Zone.Identifierfeatmonitorapp.exeIPTip_Main_WindowSoftware\Classes\CLSID\{054AAE20-4BEA-4347-8A35-64A533254A9D}\LocalServer32%CommonProgramFiles%CommonProgramW6432Software\Adobe\Adobe Acrobat\DC\AVGeneralbProtectedModebHasAcrobatConsentDCSoftware\Adobe\Acrobat Reader\DC\PrivilegedContinuous.lnk\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\SeChangeNotifyPrivilegeS:(ML;;;;;)S-1-16-16384S-1-16-12288S-1-16-8192S-1-16-6144S-1-16-4096S-1-16-2048S-1-16-0NtCreateLowBoxToken\Sessions\%d\AppContainerNamedObjects\%lsNtCreateDirectoryObject\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ F] F] F] F] F] F] F] F] F] F] F] F] F] F] F]0
Source: cd.exe	Binary string: IDocOpenDocPrintFilePrintFilePrintExFilePrintSilentFilePrintSilentExFilePrintToFilePrintToExFileTrustedPrintToExFileTrustedPrintSilentExFileTrustedPrintExFileOpenUntitledFileOpenFileOpenExFileOpenMinimizedFileTrustedOpenMinimizedFileTrustedOpenExFileOpenWithParamsFileTrustedOpenWithParamsDocOpenDocPrintFilePrintFilePrintExFilePrintSilentFilePrintSilentExFilePrintToFilePrintToExFileTrustedPrintToExFileTrustedPrintSilentExFileTrustedPrintExFileOpenUntitledFileOpenFileOpenExFileOpenMinimizedFileTrustedOpenMinimizedFileTrustedOpenExFileOpenWithParamsFileTrustedOpenWithParamsHandleAcroURLAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exe\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\list too longatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistrar_pptExport.emfatlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceException.tmp.pdfatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPICount
Source: cd.exe	Binary string: Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Reader /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplication{A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0DC\InstallerENU_GUIDPATHInstallLocationAcroExch.Document.DC.pdfTrunk{AC76BA86-0000-0000-7760-7E8A45000000}BetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonAcrobat.Document.SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.11.pdfSOFTWARE\Google\Chrome\NativeMessagingHosts\.com.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorLowerCoExVersionSOFTWARE\Adobe\Adobe Acrobat\DC\InstallerCoExRepairDone\NotificationAppxSOFTWARE\Adobe\Acrobat Reader\\DC\SOFTWARE\Adobe\Acrobat Reader\\DC\Installer\AppVersionAppVersionINSTALLUWPAPP=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 /qn/i msiexec.exe ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeAppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstoreAdobe Reader XIRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrd
Source: cd.exe	Binary string: Gbad array new lengthmap/set too longstring too longVersionMajor{AC76BA86-0000-0000-7760-7E8A45000000}InstallLocationAcrobat\Acrobat.exeiEntitlementLevelbLoginStatusTrunkBetaDC\AVEntitlementSOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorVersionMinorInstallLocationAcrobat\Acrobat.exe#32770Learn MoreOkMsgBoxHookMsgBoxHookMsgBoxHookMsgBoxHook0x%XS:(ML;;NW;;;LW)rdrCEF_alternate_desktop_alr_alternate_desktop_rdrCEF_alternate_desktop_alr_alternate_desktop_\S-1-16-4096S:(ML;CIOI;NW;;;LW)TMP=TMP=TEMP=TEMP=LOCALAPPDATA=LOCALAPPDATA===invalid string positionvector too longSOFTWARE\Adobe\Adobe Acrobat\DC\Installer\bIsSingleClientAppbIsSCAcroAppInstalledSCAPackageLevelIsAcrInstalledInRdrModeSeShutdownPrivilegekernel32.dllGetNamedPipeServerProcessIdGetNamedPipeClientProcessIdS:(ML;;NW;;;LW)D:P(D;;GA;;;NU)(D;;GA;;;AN)(A;;GA;;;)(A;;GA;;;AC)\\.\pipe\AIPC_SRV\\\.\pipe\AIPC_CLI\Global\IEACROBATSTARTIPCNAMEDPIPECOMGlobal\ARM Update MutexGlobal\Acro Update MutexC:\thsnYaVieBodaTsnIorcAeBoda\\.\pipe\32B6B37A-4A7D-4e00-95F2-6F0BF3DE3E00SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDownbEnableEventViewerLoggingSoftware\Adobe\Acrobat Reader\DC\PrivilegedbEnableEventViewerLoggingAdobe ReaderDocOpenDocPrintFilePrintFilePrintExFilePrintSilentFilePrintSilentExFilePrintToFilePrintToExFileTrustedPrintToExFileTrustedPrintSilentExFileTrustedPrintExFileOpenUntitledFileOpenFileOpenExFileOpenMinimizedFileTrustedOpenMinimizedFileTrustedOpenExFileOpenWithParamsFileTrustedOpenWithParamsDocOpenDocPrintFilePrintFilePrintExFilePrintSilentFilePrintSilentExFilePrintToFilePrintToExFileTrustedPrintToExFileTrustedPrintSilentExFileTrustedPrintExFileOpenUntitledFileOpenFileOpenExFileOpenMinimizedFileTrustedOpenMinimizedFileTrustedOpenExFileOpenWithParamsFileTrustedOpenWithParamsHandleAcroURLAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exe\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\list too long4057363broker_pdfshell_sh/if/id %uAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exe\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Software\Adobe\Acrobat Reader\DC\FeatureStateSoftware\Adobe\Adobe Acrobat\DC\FeatureStateatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClient\??\\Device\atlTraceDBProvider\\?\UNC\\??\UNC\/?/UNC/atlTraceSnapin\?\UNC\\??\pipe\\??\mailslot\atlTraceNotImpl\\?\\\.\\\atlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPIAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeSMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib%d.%u.%d/cr/bSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdownbEnforceReadRestrictionsSOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockdownbEnableAlternateLaunchDesktopSoftware\Adobe\Adobe
Source: cd.exe	Binary string: Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Acrobat /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplicationSOFTWARE\Adobe\Adobe Acrobat\{A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-BA7E-7E8A45000000}VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\.0DC\InstallerENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdfTrunk{AC76BA86-0000-0000-7760-7E8A45000000}BetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonAcrobat.Document.SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.11.pdfSOFTWARE\Google\Chrome\NativeMessagingHosts\.com.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorLowerCoExVersionSOFTWARE\Adobe\Adobe Acrobat\DC\InstallerCoExRepairDone\RDCNotificationAppx\ADCNotificationAppx\NotificationAppxSOFTWARE\Adobe\Adobe Acrobat\\DC\SOFTWARE\Adobe\Adobe Acrobat\\DC\Installer\AppVersionAppVersionINSTALLUWPAPP=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 IS_COEX_REPAIR=1 /qn/i msiexec.exe/i AppDoNotTakePDFOwnershipAtLaunch ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qnmsiexec.exeAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Dev
Source: cd.exe	Binary string: O 3Eg_interceptionsNtMapViewOfSectionNtUnmapViewOfSectiong_originals\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Invalid Object foundD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\filesystem_policy.ccrequested path: actual path: Unexpected handle for path: Unexpected handle\/?/?\?:?:\\/?/?\UNC\Failed to process path (recursion detected): error code:Failed to process path:Unexpected error in path processing of:Unexpected error in source path processing of:::$DATA:$I30:$INDEX_ALLOCATION::$INDEX_ALLOCATION\\.\pipe\\\.\mailslot\Invalid path: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\\?\pipe\\Device\NamedPipe\SameObject check failed: D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\named_pipe_policy.ccntdll.dllkernel32.dllNtAllocateVirtualMemoryNtCloseNtDuplicateObjectNtFreeVirtualMemoryNtProtectVirtualMemoryNtQuerySectionNtQueryVirtualMemoryNtSignalAndWaitForSingleObjectNtWaitForSingleObjectRtlAllocateHeapRtlAnsiStringToUnicodeStringRtlCreateHeapRtlCreateUserThreadRtlDestroyHeapRtlFreeHeap_strnicmpstrlenwcslenmemcpy_wcsnicmpswprintf_sNtQueryInformationThreadNtSetInformationFileNtDeleteValueKeyNtCreateMutantNtOpenMutantNtOpenSectionNtAddAtomNtFindAtomNtDeleteAtomNtQueryInformationAtomg_ntNtSetInformationThreadNtOpenThreadTokenNtOpenThreadTokenEx\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\NtSuspendProcessNtResumeProcessNtCreateProcessExntdll.dllInitializeProcThreadAttributeListUpdateProcThreadAttributeCreateProcessWAction: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\process_thread_policy.ccapp name: command line: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ for: Unexpected D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\registry_policy.ccReal path: CreateKeyOpenKey\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Handle AccessCheck failed: D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\signed_policy.cc\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\NtQuerySymbolicLinkObjectNtOpenSymbolicLinkObject%d\Sessions\BNOLINKSNtCreateEventNtOpenEvent\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
Source: cd.exe	Binary string: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Ntdll.dllNtQueryInformationProcessSTATIC_acroS_winAcroPDF.dllAcroPDFImpl.dllNPPdf32.dllPDFPrevHndlr.dllPDFPrevHndlrShim.dllPDFThumbHndlr.dllPDFShell.dllPDFPropHndlr.dllAcroSBL/b/id/id4057363/if%s_%lu_%lu/acGeckoPluginWindowplugin-container.exe4021007AcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeSTATICswBrowser|rdr|\Javascripts\JSByteCodeWin.bin|rdr|\AdobeUpdater.dll|sys|\ddraw.dll|sys|\dciman32.dllAdobeReaderSpeedLaunchCmdWndSOFTWARE\Adobe\Acrobat Reader\DC\AcroSpeedLaunchAcrobatSDIWindowAdobeAcrobatAcrobatTimerWndAcrobat runningMcShieldAvSynMgrnavapsvcAntiVirServiceAVPekrnIsVirusCheckerPresentServicesActivefound servicerunningIsVirusCheckerPresent doneAbortWM_CLOSEerr in TimeoutOrExitWaitUntilTimeoutOrMustExitOrVirusCheckerPresenterr in checkerSetThreadPriority worker thread lownot all ops, go into vc modewaitingmsvcr100.dllmsvcp100.dlldo Opsworker throw!worker doneTerminate thread!

Classification label

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@4/27@6/5

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Sample might require command line arguments

Source: cd.exe	String found in binary or memory: /cite/word/install
Source: cd.exe	String found in binary or memory: Couldn't find documents: You have selected documents from both My Library a Shared Group, or from multiple Shared Groups, which is not supported.Documents in multiple groupsPlease select the documents you wish to cite.importing %1 documents from plugin into ??geometry/newLibrarySplittergeometry/horizontalSplittergeometry/verticalSplitterSynchronizing - Step %1 of %2GroupFilterCollectionDeletedFilter1trigger()Synchronizing Zotero - Step %1 of %22duplicateSearchStarted(WorkerJob::Pointer)1highlightAndScrollTo(QList<Document::Pointer>)2allJobsFinished(QList<Document::Pointer>)Invite/invite/?dgcid=Mendeley_Desktop_Invite-colleagues/cite/word/install/importshowSignInmendeley://loginshowJoinMendeleyFormmendeley://registerDelete this document from your library?Delete %1 documents from your library?
Source: cd.exe	String found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guides
Source: cd.exe	String found in binary or memory: 1openHelpGuides()Help Guides1openMendeleyWebsite()Mendeley Website1openFAQ()FAQ1openContactSupport()Contact SupportCheck for UpdatesCheck Now1toggleCheckForPreviewUpdates()Create Backup...1openMendeleyPrivacyPolicy()Privacy Policy1openMendeleyTandCs()Terms and Conditions1showAbout()https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guideshttps://www.mendeley.com?dgcid=Mendeley_Desktop_Help-menu-websitehttps://www.elsevier.com/legal/elsevier-website-terms-and-conditionshttps://www.elsevier.com/legal/privacy-policyhttps://service.elsevier.com/app/home/supporthub/mendeley/?dgcid=Mendeley_Desktop_Help-menu-FAQhttps://service.elsevier.com/app/contact/supporthub/mendeley?dgcid=Mendeley_Desktop_Help-menu-Contact-SupportOpt-out of Experimental ReleasesOpt-in to Experimental Releases
Source: cd.exe	String found in binary or memory: recently-added
Source: cd.exe	String found in binary or memory: 1timeout()1showDocumentView()all-documentsrecently-addedmy-publicationsfavoritesfavouritesunsortedselectExistingGroupByIdactiongroupIdtabNameoverviewmembersInvalid group tab namefailed to select group1syncProgressChanged(QSet<SynchronizeJob::Action>,QSet<SynchronizeJob::Action>,QSet<SynchronizeJob::Action>)2progressChanged(QSet<SynchronizeJob::Action>,QSet<SynchronizeJob::Action>,QSet<SynchronizeJob::Action>)1updateRecentlyRead()selectExistingDocumentByIdidfileToOpenselectExistingFolderByIdfolderIdcan't fetch unknown document No document found matching the id1showStyleError(StylesFetcher::DownloadFromUrlError,QString)1selectStyle(QString)Style selected - %1Cannot install - %1. Error: %2No folder found matching the remote idMainWindowController::selectFilterByName: Can't find the filter showDocumentViewsetDocumentPropertiesPaneVisibilityselectMetadataTabselectTagsAndNotesTabselectFilterBySlugselectFilterByNameselectDocumentRowselectMainTabselectDocumentByIdselectGroupByIdH
Source: cd.exe	String found in binary or memory: :/images/onboarding/bubbles/add_copy.png
Source: cd.exe	String found in binary or memory: Try Mendeley <a href="https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-Importer"><b>Web Plugin</b></a> to import documents in just one click
Source: cd.exe	String found in binary or memory: <html><head/><body><p><a href="https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">Cite</span></a> your Mendeley references in Microsoft Word<sup>&reg;</sup> or LibreOffice<sup>&trade;</sup></p></body></html>
Source: cd.exe	String found in binary or memory: <html><head/><body><p>Discover how to <a href="https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">highlight and annotate</span></a> documents in your library</p></body></html>
Source: cd.exe	String found in binary or memory: :/images/onboarding/bubbles/next.pngAdd and CreateUserGuidePopoverWidgetHide the Guidance PopupAlt+CClick here to <b>import</b> documents and folders to your library or <b>create new</b> entries manually.or importImport other librariesTry Mendeley <a href="https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-Importer"><b>Web Plugin</b></a> to import documents in just one clickYour Mendeley Library is backed up to the Mendeley Cloud every time you sync so you can access it on Mendeley Web Library, Mendeley Mobile or other installations of Mendeley Desktop. You can manage synchronization of your file attachments here.Click the help button to find out more about Mendeley and learn how to cite, annotate and collaborate.Learn how to<html><head/><body><p><a href="https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">Cite</span></a> your Mendeley references in Microsoft Word<sup>&reg;</sup> or LibreOffice<sup>&trade;</sup></p></body></html><html><head/><body><p>Discover how to <a href="https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">highlight and annotate</span></a> documents in your library</p></body></html>QPushButton:pressed { border: 1px solid white; background: white; color: white; opacity: 255; }QPushButton:pressed { border: 1px solid #F6F6F6; background: #F6F6F6; color: white; opacity: 255; }UserGuidePopover1trackButtonClick()1page0AltContentBiTeXButtonClicked()1page0AltContentEndNoteButtonClicked()1page0AltContentRISButtonClicked()1display()2displaySignal():/images/onboarding/bubbles/next.png:/images/onboarding/bubbles/close-button.pngStorage: Local & CloudThe help button will always be hereUserGuidePopover_Page%1unverifiedH
Source: cd.exe	String found in binary or memory: :/images/onboarding/bubbles/next.pngAdd and CreateUserGuidePopoverWidgetHide the Guidance PopupAlt+CClick here to <b>import</b> documents and folders to your library or <b>create new</b> entries manually.or importImport other librariesTry Mendeley <a href="https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-Importer"><b>Web Plugin</b></a> to import documents in just one clickYour Mendeley Library is backed up to the Mendeley Cloud every time you sync so you can access it on Mendeley Web Library, Mendeley Mobile or other installations of Mendeley Desktop. You can manage synchronization of your file attachments here.Click the help button to find out more about Mendeley and learn how to cite, annotate and collaborate.Learn how to<html><head/><body><p><a href="https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">Cite</span></a> your Mendeley references in Microsoft Word<sup>&reg;</sup> or LibreOffice<sup>&trade;</sup></p></body></html><html><head/><body><p>Discover how to <a href="https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">highlight and annotate</span></a> documents in your library</p></body></html>QPushButton:pressed { border: 1px solid white; background: white; color: white; opacity: 255; }QPushButton:pressed { border: 1px solid #F6F6F6; background: #F6F6F6; color: white; opacity: 255; }UserGuidePopover1trackButtonClick()1page0AltContentBiTeXButtonClicked()1page0AltContentEndNoteButtonClicked()1page0AltContentRISButtonClicked()1display()2displaySignal():/images/onboarding/bubbles/next.png:/images/onboarding/bubbles/close-button.pngStorage: Local & CloudThe help button will always be hereUserGuidePopover_Page%1unverifiedH
Source: cd.exe	String found in binary or memory: Please upgrade to a supported version of MS Word and re-install the Mendeley plugin through Mendeley Desktop's 'Tools' menu. Sorry for the inconvenience.
Source: cd.exe	String found in binary or memory: 1updateWordPlugin()1uninstallWordPlugin()Please upgrade to a supported version of MS Word and re-install the Mendeley plugin through Mendeley Desktop's 'Tools' menu. Sorry for the inconvenience.The Mendeley plugin requires Microsoft Word %1 or later.
Source: cd.exe	String found in binary or memory: documents-add
Source: cd.exe	String found in binary or memory: folder-add
Source: cd.exe	String found in binary or memory: 333?editMenuSeparatorviewerActions.selectionMenuviewerActions.highlightMenuviewerActions.zoomModeMenudocuments-addAddnewDocumentActionImport additional documents to the current collectionaddFilesActionaddFolderActionWatch FolderwatchFolderActionAdd Entry ManuallyaddManualEntryActionemptyEmptyemptyTrashActionDelete all documents from the Trashdocument-deleteremoveDocumentActionMove the selected documents to the TrashremoveDocumentActionTrashContextDelete the selected documents from the TrashrestoreRestoreRestore DocumentsrestoreDocumentActionRestore the selected documents to their original locationRemove from FolderremoveFromFolderActionRemove the selected documents from this folderRename Document Files...renameDocumentActionfolder-addCreate FolderNew Folder...newFolderActionCreate a new folderNew GroupNew Group...newGroupActionCreate a new groupfolder-removeRemove CollectionRemoveCollectionActionRemove the current collectioneditSettingsActionRename Collection...renameFolderActionmagnifiercatalogSearchActionMendeley Catalog Searchrelated-documentsRelatedrecommendActionRecommend related documentsSyncSynchronize LibrarysynchronizeActionSynchronize your library with Mendeley WebHelpHelp ContentshelpActionOpen the Online Help Guide for MendeleyFindfindActionFind NextfindNextActionFind PreviousfindPreviousActionselectAllActionciteCitesendCitationActionSend citation to plugincancelcancelCitationActionCancel sending citation to pluginEdit...editDocumentActionactionNotDuplicatesUpdate DetailslookupMetadataActionfullscreenFullscreenfullScreenActionzoomActionzoom-inZoom InzoomInActionzoom-outZoom OutzoomOutActionrotate-leftRotate LeftrotateAnticlockwiseActionrotate-rightRotate RightrotateClockwiseActionpanPanpanActionfit-pageFit to PagezoomModeFitPageActionfit-widthFit to WidthzoomModeFitWidthActionzoomModeCustomselectActionselect-rectangleSelect RectangleselectRectangleActionselect-textSelectSelect TextselectFlowActionColorSelect ColorselectColorActionhighlightActionhighlight-textHighlightHighlight TexthighlightTextActionhighlight-rectHighlight RectanglehighlightRectangleActionnoteNoteAdd NoteaddNoteActioncopyActionpasteAction:/icons/64x64/actions/%1/%2.png:/icons/toolbar/%1/%2.png:/icons/toolbar/%1/%2-active.png:/icons/16x16/actions/%1.png
Source: cd.exe	String found in binary or memory: The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.
Source: cd.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: cd.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: cd.exe	String found in binary or memory: Commands : /install - Installs Steam Client Service
Source: cd.exe	String found in binary or memory: /installscript <file> <appid> - Runs a Steam game install script
Source: cd.exe	String found in binary or memory: /installscript
Source: cd.exe	String found in binary or memory: /installscript failed on: %s: %d
Source: cd.exe	String found in binary or memory: /install
Source: cd.exe	String found in binary or memory: /install service install failed
Source: cd.exe	String found in binary or memory: /setupsteam <command line> - Runs SteamSetup.exe/hide/installscript/installscript failed on: %s: %d
Source: cd.exe	String found in binary or memory: /install/install service install failed
Source: cd.exe	String found in binary or memory: /Install
Source: cd.exe	String found in binary or memory: /Stop
Source: cd.exe	String found in binary or memory: /Stop
Source: cd.exe	String found in binary or memory: /Install/Uninstall/Start/Stop/RunAsService
Source: cd.exe	String found in binary or memory: /Install/Uninstall/Start/Stop/RunAsService
Source: cd.exe	String found in binary or memory: /Install/Uninstall/Start/Stop/RunAsService
Source: cd.exe	String found in binary or memory: ,ZJAll AccessRead/WriteExecuteQuery ValueSet ValueCreate Sub KeyEnumerate Sub KeysNotifyCreate LinkWOW64_ResWOW64_32KeyWOW64_64KeyGeneric Read/Write/ExecuteGeneric Read/WriteGeneric Read/ExecuteGeneric Write/ExecuteGeneric ReadGeneric WriteGeneric ExecuteRead Data/List DirectoryWrite Data/Add FileAppend Data/Add Subdirectory/Create Pipe InstanceRead EAWrite EAExecute/TraverseDelete ChildRead AttributesWrite AttributesRead ControlWrite DACWrite OwnerSynchronizeAccess System SecurityMaximum Allowedkernel32.dllSD\fltlib.dll%llx%lf%s%07d%02u:%02u:%02u.%07u%02u:%02u:%02u%I64d0x%I64x-1%I64u KB MB GBWindows 2000Windows XPWindows XP x64Windows Server 2003Windows VistaWindows Server 2008Windows 7Windows Server 2008 R2Windows 8Windows Server 2012Windows 8.1Windows Server 2012 R2Windows 10Windows Server 2016Windows %d.%d (build %d.%d)%08x:%08x%02X64-bit32-bit%x:%x:%x:%x:%x:%x:%x:%x%d.%d.%d.%d:%d:None
Source: cd.exe	String found in binary or memory: -help
Source: cd.exe	String found in binary or memory: sun/launcher/LauncherHelper
Source: cd.exe	String found in binary or memory: Error: Corrupt jvm.cfg file; cycle in alias list.ERRORError: Unable to resolve VM alias %sWarning: %s VM not supported; %s VM will be usedError: %s VM not supported-version-fullversion-help-?-jar-X-XX:NativeMemoryTracking=%s%d=%s%s%dTRACER_MARKER: NativeMemoryTracking: env var is %s
Source: cd.exe	String found in binary or memory: sun/launcher/LauncherHelper(Z[B)Ljava/lang/String;makePlatformStringjava/lang/String(ZILjava/lang/String;)Ljava/lang/Class;checkAndLoadMain%ld micro seconds to load main class
Source: cd.exe	String found in binary or memory: browser-startup-dialog
Source: cd.exe	String found in binary or memory: enable-service-binary-launcher
Source: cd.exe	String found in binary or memory: gpu-launcher
Source: cd.exe	String found in binary or memory: gpu-sandbox-start-early
Source: cd.exe	String found in binary or memory: gpu-startup-dialog
Source: cd.exe	String found in binary or memory: ppapi-plugin-launcher
Source: cd.exe	String found in binary or memory: ppapi-startup-dialog
Source: cd.exe	String found in binary or memory: renderer-startup-dialog
Source: cd.exe	String found in binary or memory: utility-startup-dialog
Source: cd.exe	String found in binary or memory: gpu2-startup-dialog
Source: cd.exe	String found in binary or memory: --start-crash-handler
Source: cd.exe	String found in binary or memory: QVersionNumbera+CONOUT$--start-crash-handlerRadareOrgCutterQList

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Submission file is bigger than most known malware samples

Source: cd.exe

Static file information: File size 3922432 > 1048576

PE file contains a debug data directory

Source: cd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: D:\a\1\s\Win32\Release\logonsessions.pdb source: cd.exe
Source:	Binary string: c:\stream\develop\Regionhunt.pdb source: cd.exe
Source:	Binary string: D:\a\1\s\Win32\Release\RamMap.pdb source: cd.exe
Source:	Binary string: D:\B\T\BuildResults\bin\Release\AcrobatInfo.pdb))) source: cd.exe
Source:	Binary string: D:\B\T\BuildResults\bin\Release\AcrobatInfo.pdb source: cd.exe
Source:	Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb666 source: cd.exe
Source:	Binary string: C:\agent\_work\93\s\Win32\Release\autoruns.pdb source: cd.exe
Source:	Binary string: D:\a\1\s\Win32\Release\adrestore.pdb source: cd.exe
Source:	Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb source: cd.exe

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\cd.exe

Unpacked PE file: 1.2.cd.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\cd.exe

Unpacked PE file: 1.2.cd.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;aZAqrnJo:R;BGOllIzc:R;yQtoRARz:R;dZLJZOuu:R;sdDGHbsk:R;cQfsAIeK:R;nJjdtQIB:R;pcHOcQzM:R;wDcvvqlu:R;orXBiygL:R;AiZKCfrK:R;myoGvTPf:R;AVTlzkED:R;bzLENpIH:R;XcYnViEt:R;mbKhPZXg:R;lUpFJlcq:R;yiDSdvAK:R;tWLpgAgw:R;bTGdVUjl:R;ziIDaoXi:R;LzawvTwX:R;LnIDzdzd:R;wkCXpCGo:R;nqpeKqho:R;MRjgEOqy:R;JcLmCXgA:R;OtycdIdu:R;IbVOTdPC:R;FgFHDyjf:R;ybeqBvHg:R;IbzUQYJs:R;AQBgSYnS:R;XxFUmGWX:R;afVQQtfj:R;nwvMTysA:R;ZHPQhgLD:R;pxMMJkwk:R;JXHCNYcJ:R;lYRopDTG:R;bcYTpMaT:R;nuBezWiu:R;yPvpmSBg:R;OoEfGgTM:R;kYRGCWEC:R;ssiFbfZW:R;KHKSQqok:R;NcZcjaDP:R;mIUEylgT:R;lluFjCpP:R;BHqNuAAF:R;dWFkhiaJ:R;NeKPPFmp:R;mRaJxCpw:R;sjZRApAc:R;mJuapRBt:R;AUQwTDRB:R;Mzpcxreq:R;DQLewjlc:R;yQzDovRx:R;KsasGyWE:R;qALhWEsZ:R;EhLKChYp:R;juiuAwmE:R;FPCcnPuO:R;DQPOFovS:R;eeLebknr:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\cd.exe

Code function: 1_2_0040322B push ecx; ret

1_2_0040323B

PE file contains sections with non-standard names

Source: cd.exe	Static PE information: section name: aZAqrnJo
Source: cd.exe	Static PE information: section name: BGOllIzc
Source: cd.exe	Static PE information: section name: yQtoRARz
Source: cd.exe	Static PE information: section name: dZLJZOuu
Source: cd.exe	Static PE information: section name: sdDGHbsk
Source: cd.exe	Static PE information: section name: cQfsAIeK
Source: cd.exe	Static PE information: section name: nJjdtQIB
Source: cd.exe	Static PE information: section name: pcHOcQzM
Source: cd.exe	Static PE information: section name: wDcvvqlu
Source: cd.exe	Static PE information: section name: orXBiygL
Source: cd.exe	Static PE information: section name: AiZKCfrK
Source: cd.exe	Static PE information: section name: myoGvTPf
Source: cd.exe	Static PE information: section name: AVTlzkED
Source: cd.exe	Static PE information: section name: bzLENpIH
Source: cd.exe	Static PE information: section name: XcYnViEt
Source: cd.exe	Static PE information: section name: mbKhPZXg
Source: cd.exe	Static PE information: section name: lUpFJlcq
Source: cd.exe	Static PE information: section name: yiDSdvAK
Source: cd.exe	Static PE information: section name: tWLpgAgw
Source: cd.exe	Static PE information: section name: bTGdVUjl
Source: cd.exe	Static PE information: section name: ziIDaoXi
Source: cd.exe	Static PE information: section name: LzawvTwX
Source: cd.exe	Static PE information: section name: LnIDzdzd
Source: cd.exe	Static PE information: section name: wkCXpCGo
Source: cd.exe	Static PE information: section name: nqpeKqho
Source: cd.exe	Static PE information: section name: MRjgEOqy
Source: cd.exe	Static PE information: section name: JcLmCXgA
Source: cd.exe	Static PE information: section name: OtycdIdu
Source: cd.exe	Static PE information: section name: IbVOTdPC
Source: cd.exe	Static PE information: section name: FgFHDyjf
Source: cd.exe	Static PE information: section name: ybeqBvHg
Source: cd.exe	Static PE information: section name: IbzUQYJs
Source: cd.exe	Static PE information: section name: AQBgSYnS
Source: cd.exe	Static PE information: section name: XxFUmGWX
Source: cd.exe	Static PE information: section name: afVQQtfj
Source: cd.exe	Static PE information: section name: nwvMTysA
Source: cd.exe	Static PE information: section name: ZHPQhgLD
Source: cd.exe	Static PE information: section name: pxMMJkwk
Source: cd.exe	Static PE information: section name: JXHCNYcJ
Source: cd.exe	Static PE information: section name: lYRopDTG
Source: cd.exe	Static PE information: section name: bcYTpMaT
Source: cd.exe	Static PE information: section name: nuBezWiu
Source: cd.exe	Static PE information: section name: yPvpmSBg
Source: cd.exe	Static PE information: section name: OoEfGgTM
Source: cd.exe	Static PE information: section name: kYRGCWEC
Source: cd.exe	Static PE information: section name: ssiFbfZW
Source: cd.exe	Static PE information: section name: KHKSQqok
Source: cd.exe	Static PE information: section name: NcZcjaDP
Source: cd.exe	Static PE information: section name: mIUEylgT
Source: cd.exe	Static PE information: section name: lluFjCpP
Source: cd.exe	Static PE information: section name: BHqNuAAF
Source: cd.exe	Static PE information: section name: dWFkhiaJ
Source: cd.exe	Static PE information: section name: NeKPPFmp
Source: cd.exe	Static PE information: section name: mRaJxCpw
Source: cd.exe	Static PE information: section name: sjZRApAc
Source: cd.exe	Static PE information: section name: mJuapRBt
Source: cd.exe	Static PE information: section name: AUQwTDRB
Source: cd.exe	Static PE information: section name: Mzpcxreq
Source: cd.exe	Static PE information: section name: DQLewjlc
Source: cd.exe	Static PE information: section name: yQzDovRx
Source: cd.exe	Static PE information: section name: KsasGyWE
Source: cd.exe	Static PE information: section name: qALhWEsZ
Source: cd.exe	Static PE information: section name: EhLKChYp
Source: cd.exe	Static PE information: section name: juiuAwmE
Source: cd.exe	Static PE information: section name: FPCcnPuO
Source: cd.exe	Static PE information: section name: DQPOFovS
Source: cd.exe	Static PE information: section name: eeLebknr

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 6.93749374769

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\cd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\cd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: cd.exe

Binary or memory string: IIRP_MJ_FASTIO_PROCMON.EXEPROCEXP.EXEAUTORUNS.EXESYSTEMPAGEFILE.SYS$MFT$MFTMIRR$LOGFILE$VOLUME$ATTRDEF$ROOT$BITMAP$BOOT$BADCLUS$SECURE$UPCASE$EXTENDFAST IOINCLUDEEXCLUDE<BAD>OKAY TO OVERWRITE EVENT LOG ''?AN ERROR OCCURRED OPENING THE SNAPSHOT ''APPLYING EVENT FILTEROPERATION CANCELLED: THE LISTVIEW DATA MAY BE INCOMPLETEPROCESS MONITOR CAN OPEN AT MOST BACKING FILES<PAGEFILE>YESNOEVENTPROCESSINDEXSTACKFRAMEDEPTHADDRESS + PATHLOCATIONPROCESSPROCESSIDPARENTPROCESSIDPARENTPROCESSINDEXAUTHENTICATIONIDCREATETIMEFINISHTIMEISVIRTUALIZEDIS64BITINTEGRITYOWNERPROCESSNAMECOMMANDLINECOMPANYNAMEVERSIONDESCRIPTIONMODULELISTMODULETIMESTAMPBASEADDRESSSIZECOMPANYPROCESS MONITOR - EXPORTING EVENT DATAWT, CCS=UTF-8"%S"

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_004359CA mov eax, dword ptr fs:[00000030h]		1_2_004359CA
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_0043559C push dword ptr fs:[00000030h]		1_2_0043559C
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_008004F4 mov eax, dword ptr fs:[00000030h]		1_2_008004F4
Source: C:\Users\user\Desktop\cd.exe	Code function: 1_2_008000C6 push dword ptr fs:[00000030h]		1_2_008000C6

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\cd.exe

Code function: 1_2_00401873 GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,LdrInitializeThunk,

1_2_00401873

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\cd.exe

Code function: 1_2_00402F32 InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,

1_2_00402F32

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: cd.exe

Binary or memory string: Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Reader /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplication{A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0DC\InstallerENU_GUIDPATHInstallLocationAcroExch.Document.DC.pdfTrunk{AC76BA86-0000-0000-7760-7E8A45000000}BetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonAcrobat.Document.SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.11.pdfSOFTWARE\Google\Chrome\NativeMessagingHosts\.com.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorLowerCoExVersionSOFTWARE\Adobe\Adobe Acrobat\DC\InstallerCoExRepairDone\NotificationAppxSOFTWARE\Adobe\Acrobat Reader\\DC\SOFTWARE\Adobe\Acrobat Reader\\DC\Installer\AppVersionAppVersionINSTALLUWPAPP=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 /qn/i msiexec.exe ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeAppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstoreAdobe Reader XIRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrd

Source: cd.exe

Binary or memory string: Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Acrobat /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplicationSOFTWARE\Adobe\Adobe Acrobat\{A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-BA7E-7E8A45000000}VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\.0DC\InstallerENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdfTrunk{AC76BA86-0000-0000-7760-7E8A45000000}BetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonAcrobat.Document.SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.11.pdfSOFTWARE\Google\Chrome\NativeMessagingHosts\.com.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorLowerCoExVersionSOFTWARE\Adobe\Adobe Acrobat\DC\InstallerCoExRepairDone\RDCNotificationAppx\ADCNotificationAppx\NotificationAppxSOFTWARE\Adobe\Adobe Acrobat\\DC\SOFTWARE\Adobe\Adobe Acrobat\\DC\Installer\AppVersionAppVersionINSTALLUWPAPP=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 IS_COEX_REPAIR=1 /qn/i msiexec.exe/i AppDoNotTakePDFOwnershipAtLaunch ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qnmsiexec.exeAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Dev

Language, Device and Operating System Detection:

Contains functionality to query windows version

Source: C:\Users\user\Desktop\cd.exe

Code function: 1_2_00401342 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_00401342

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR

Yara detected PsExec sysinternal tool

Source: Yara match

File source: cd.exe, type: SAMPLE