Loading ...

Play interactive tourEdit tour

Windows Analysis Report cd.exe

Overview

General Information

Sample Name:cd.exe
Analysis ID:483177
MD5:cd02e745a08dd29cb6fda1761b2f4b6e
SHA1:1a0dd3348bb0f856fff51f7e22364b0974fa1ad3
SHA256:a4ff2e7dd35e8f7362739c3a578563458548ed5ffb30abe5ec6bf6f2c0de8eb7
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Detected unpacking (changes PE section rights)
Writes or reads registry keys via WMI
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Found PSEXEC tool (often used for remote process execution)
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Yara detected PsExec sysinternal tool
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
PE file contains more sections than normal
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cd.exe (PID: 6888 cmdline: 'C:\Users\user\Desktop\cd.exe' MD5: CD02E745A08DD29CB6FDA1761B2F4B6E)
  • iexplore.exe (PID: 4568 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 160 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4568 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
cd.exeJoeSecurity_PsExecYara detected PsExec sysinternal toolJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
              Click to see the 5 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for submitted fileShow sources
              Source: cd.exeReversingLabs: Detection: 60%
              Machine Learning detection for sampleShow sources
              Source: cd.exeJoe Sandbox ML: detected
              Source: 1.2.cd.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8
              Source: 1.3.cd.exe.82998c.0.unpackAvira: Label: TR/Patched.Ren.Gen

              Compliance:

              barindex
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\Desktop\cd.exeUnpacked PE file: 1.2.cd.exe.400000.0.unpack
              Source: cd.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
              Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
              Source: unknownHTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.139.96:443 -> 192.168.2.6:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.139.96:443 -> 192.168.2.6:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.102.106:443 -> 192.168.2.6:49751 version: TLS 1.2
              Source: Binary string: D:\a\1\s\Win32\Release\logonsessions.pdb source: cd.exe
              Source: Binary string: c:\stream\develop\Regionhunt.pdb source: cd.exe
              Source: Binary string: D:\a\1\s\Win32\Release\RamMap.pdb source: cd.exe
              Source: Binary string: D:\B\T\BuildResults\bin\Release\AcrobatInfo.pdb))) source: cd.exe
              Source: Binary string: D:\B\T\BuildResults\bin\Release\AcrobatInfo.pdb source: cd.exe
              Source: Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb666 source: cd.exe
              Source: Binary string: C:\agent\_work\93\s\Win32\Release\autoruns.pdb source: cd.exe
              Source: Binary string: D:\a\1\s\Win32\Release\adrestore.pdb source: cd.exe
              Source: Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb source: cd.exe

              Spreading:

              barindex
              Found PSEXEC tool (often used for remote process execution)Show sources
              Source: cd.exeString found in binary or memory: PsExec executes a program on a remote system, where remotely executed console

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49737 -> 173.239.8.164:80
              Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49737 -> 173.239.8.164:80
              Source: TrafficSnort IDS: 2030821 ET MALWARE Win32/Zonebac Traffic Redirect 192.168.2.6:49737 -> 173.239.8.164:80
              Source: Joe Sandbox ViewASN Name: WEBAIR-INTERNETUS WEBAIR-INTERNETUS
              Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
              Source: Yara matchFile source: cd.exe, type: SAMPLE
              Source: Joe Sandbox ViewIP Address: 173.192.101.24 173.192.101.24
              Source: Joe Sandbox ViewIP Address: 173.192.101.24 173.192.101.24
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: msapplication.xml0.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
              Source: msapplication.xml0.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
              Source: msapplication.xml5.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
              Source: msapplication.xml5.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
              Source: msapplication.xml7.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
              Source: msapplication.xml7.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc9954168,0x01d7a9bc</date><accdate>0xc9954168,0x01d7a9bc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
              Source: LM1X3BMT.htm.9.drString found in binary or memory: re currently viewing and your location (ad serving is based on general location). Personalised content and ads can be based on those things and your activity, like Google searches and videos that you watch on YouTube. Personalised content and ads include things like more relevant results and recommendations, a customised YouTube homepage, and ads that are tailored to your interests.</div><div class="yS1nld">Click 'Customise' to review options, including controls to reject the use of cookies for personalisation and information about browser-level controls to reject some or all cookies for other uses. You can also visit <span>g.co/privacytools</span> at any time.</div></div></div></div><div class="VDity"><button class="tHlp8d" id="VnjCcb" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQiJAHCBo"><div class="jyfHyd" role="none">Customise</div></button><button class="tHlp8d" id="L2AGLb" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQiZAHCBs"><div class="jyfHyd" role="none">I agree</div></button></div><div class="XWlrff"><style>.XWlrff{margin:20px;display:flex;flex-direction:row;justify-content:center;position:absolute;bottom:0;right:0;left:0}.peRL2e,.o9D5Zb{color:#70757a;text-decoration:none}.o9D5Zb{margin:0 10px}.XWlrff{margin:18px auto 20px;position:relative}@media (max-width:320px){.peRL2e{font-size:11px}}@media (max-height:480px){.XWlrff{margin-bottom:10px}}</style><a class="peRL2e" href="https://policies.google.com/privacy?hl=en-GB&amp;fg=1&amp;utm_source=ucbs" id="RP3V5c" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQj5AHCBw">Privacy</a><div class="o9D5Zb" aria-hidden="true">&middot;</div><a class="peRL2e" href="https://policies.google.com/terms?hl=en-GB&amp;fg=1&amp;utm_source=ucbs" id="HQ1lb" data-ved="0ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQkJAHCB0">Terms</a></div></div></div></span></div></div><script nonce="sBDQvviEJYE6GoG6F/T2Gw==">(function(){var consentCookiePayload='YES+shp.gws-20210909-0-RC2.en+FX+509';var nidCookiePayload='223\x3dao_PNWYHKNRTKr72m4usLcTnJh9tuvM0SumQjLr2NpAzZjJRtiknK0gCmTBXLOnKGQSjcjc7q7fXQyHh5YsCZxvbJHtqG4tUjigGnPyvRGQzyKRILvDlG4HWUN7F5Jpi_nHXn1ESCCOSvi8kY-pjocaxP4tq4OrC3-8IjbCQNp0';var cookieDomain='.google.com';var cookieUpdateConsentUrl='https://consent.google.com/s?continue\x3dhttps://www.google.com/?gws_rd%3Dssl\x26gl\x3dGB\x26m\x3d0\x26pc\x3dshp\x26uxe\x3dnone\x26v\x3dshp.gws-20210909-0-RC2.en%2BFX%2B509\x26ca\x3de\x26x\x3d5\x26t\x3dADw3F8gQkSzvPQQLJeh4nXGqegxVPXiLSQ:1631628204516';var sIU='https://accounts.google.com/ServiceLogin?hl\x3den\x26continue\x3dhttps://www.google.com/?gws_rd%3Dssl\x26gae\x3dcb-none';var cU='https://consent.google.com/d?continue\x3dhttps://www.google.com/?gws_rd%3Dssl\x26gl\x3dGB\x26m\x3d0\x26pc\x3dshp\x26uxe\x3dnone\x26hl\x3den\x26src\x3d2';var pC='SEARCH_HOMEPAGE';var gL='GB';var isMobile=false;var srp=false; equals www.youtube.com (Youtube)
              Source: LM1X3BMT.htm.9.drString found in binary or memory: http://agoogleaday.com/%23date%3D2011-06-04
              Source: cd.exeString found in binary or memory: http://citationstyles.org/
              Source: cd.exeString found in binary or memory: http://creativecommons.org/licenses/by-sa/3.0/
              Source: ~DFFAD0E470126C2D77.TMP.7.dr, index[1].htm.9.drString found in binary or memory: http://google.com
              Source: 1G7O03DV.htm.9.dr, ~DFFAD0E470126C2D77.TMP.7.drString found in binary or memory: http://menehleibe.com/
              Source: {F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.drString found in binary or memory: http://menehleibe.com/Root
              Source: cd.exeString found in binary or memory: http://p.yusukekamiyamane.com/
              Source: LM1X3BMT.htm.9.drString found in binary or memory: http://schema.org/WebPage
              Source: cd.exeString found in binary or memory: http://support.mendeley.com/customer/portal/articles/227955
              Source: 1G7O03DV.htm.9.drString found in binary or memory: http://ww9.menehleibe.com/
              Source: msapplication.xml.7.drString found in binary or memory: http://www.amazon.com/
              Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.drString found in binary or memory: http://www.broofa.com
              Source: msapplication.xml1.7.dr, 0V71R0V5.htm.9.drString found in binary or memory: http://www.google.com/
              Source: msapplication.xml2.7.drString found in binary or memory: http://www.live.com/
              Source: msapplication.xml3.7.drString found in binary or memory: http://www.nytimes.com/
              Source: msapplication.xml4.7.drString found in binary or memory: http://www.reddit.com/
              Source: cd.exeString found in binary or memory: http://www.sysinternals.com
              Source: cd.exeString found in binary or memory: http://www.sysinternals.comFileVersionLegalCopyright
              Source: cd.exeString found in binary or memory: http://www.sysinternals.comWindowPositionSOFTWARE
              Source: cd.exeString found in binary or memory: http://www.sysinternals.comopenConnection
              Source: cd.exeString found in binary or memory: http://www.sysinternals.comopenFolder
              Source: msapplication.xml5.7.drString found in binary or memory: http://www.twitter.com/
              Source: msapplication.xml6.7.drString found in binary or memory: http://www.wikipedia.com/
              Source: msapplication.xml7.7.drString found in binary or memory: http://www.youtube.com/
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://accounts.google.com/ServiceLogin?hl
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://adservice.google.com/adsid/google/ui
              Source: LM1X3BMT.htm.9.dr, rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.drString found in binary or memory: https://apis.google.com
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://artsandculture.google.com/partner/museo-reina-sofia
              Source: cd.exeString found in binary or memory: https://citationstyles.org
              Source: cd.exeString found in binary or memory: https://clients2.google.com/service/update2/crxupdate_urlBrowser
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://consent.google.com/d?continue
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://consent.google.com/s?continue
              Source: cd.exeString found in binary or memory: https://crashpad.chromium.org/
              Source: cd.exeString found in binary or memory: https://crashpad.chromium.org/bug/new
              Source: cd.exeString found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
              Source: cd.exeString found in binary or memory: https://csl.mendeley.com
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://donate.google.com/checkout?campaignid%3D6420545008435200
              Source: imagestore.dat.9.drString found in binary or memory: https://gertrk.com/favicon.ico
              Source: ~DFFAD0E470126C2D77.TMP.7.drString found in binary or memory: https://gertrk.com/nlp/index.php?url_bnm_redirect=http://google.com
              Source: {F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.drString found in binary or memory: https://gertrk.com/nlp/index.php?url_bnm_redirect=http://google.comRoot
              Source: cd.exeString found in binary or memory: https://github.com/Juris-M/citeproc-js
              Source: cd.exeString found in binary or memory: https://github.com/citation-style-language/styles
              Source: cd.exeString found in binary or memory: https://ims-na1-stg1.adobelogin.com
              Source: cd.exeString found in binary or memory: https://ims-prod06.adobelogin.com
              Source: cd.exeString found in binary or memory: https://lcs-cops-dev.adobe.io
              Source: cd.exeString found in binary or memory: https://lcs-cops-dev.adobe.iohttps://lcs-cops-stage.adobe.iohttps://lcs-cops.adobe.iohttps://lcs-rob
              Source: cd.exeString found in binary or memory: https://lcs-cops-stage.adobe.io
              Source: cd.exeString found in binary or memory: https://lcs-cops.adobe.io
              Source: cd.exeString found in binary or memory: https://lcs-robs-dev.adobe.io
              Source: cd.exeString found in binary or memory: https://lcs-robs-stage.adobe.io
              Source: cd.exeString found in binary or memory: https://lcs-robs.adobe.io
              Source: cd.exeString found in binary or memory: https://lcs-ulecs-dev.adobe.io
              Source: cd.exeString found in binary or memory: https://lcs-ulecs-stage.adobe.io
              Source: cd.exeString found in binary or memory: https://lcs-ulecs.adobe.io
              Source: cd.exeString found in binary or memory: https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-I
              Source: d4a6d4bd[1].htm.9.drString found in binary or memory: https://mybetterdl.com/aS/feedclick?s=PmRMc57CnhYhj70e-I9ky5kfJerKhwxlfSMU3tyux_x5AGZrWUPSJmPzN2c9f2
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://ogs.google.com/widget/app/so?bc=1
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://ogs.google.com/widget/callout?prid=19025503
              Source: cd.exeString found in binary or memory: https://plasma.kde.org
              Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://policies.google.com/privacy?hl=en-GB&amp;fg=1&amp;utm_source=ucbs
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://policies.google.com/terms?hl=en-GB&amp;fg=1&amp;utm_source=ucbs
              Source: cd.exeString found in binary or memory: https://rrchnm.org/
              Source: cd.exeString found in binary or memory: https://service.elsevier.com/app/answers/detail/a_id/19601/kw/connectivity/supporthub/mendeley/1setU
              Source: cd.exeString found in binary or memory: https://service.elsevier.com/app/answers/detail/a_id/19611/kw/duplicates/supporthub/mendeley/Yes
              Source: cd.exeString found in binary or memory: https://service.elsevier.com/app/answers/detail/a_id/22094/kw/migrate/supporthub/mendeley/
              Source: cd.exeString found in binary or memory: https://service.elsevier.com/app/contact/supporthub/mendeley?dgcid=Mendeley_Desktop_Help-menu-Contac
              Source: cd.exeString found in binary or memory: https://service.elsevier.com/app/home/supporthub/mendeley/?dgcid=Mendeley_Desktop_Help-menu-FAQ
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://trends.google.com/hottrends
              Source: cd.exeString found in binary or memory: https://www.elsevier.com/legal/elsevier-website-terms-and-conditions
              Source: cd.exeString found in binary or memory: https://www.elsevier.com/legal/privacy-policy
              Source: cd.exeString found in binary or memory: https://www.gmu.edu/
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://www.google.co.uk/intl/en/about/products
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://www.google.com
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://www.google.com/?gws_rd%3Dssl
              Source: ~DFFAD0E470126C2D77.TMP.7.drString found in binary or memory: https://www.google.com/?gws_rd=ssl
              Source: ~DFFAD0E470126C2D77.TMP.7.drString found in binary or memory: https://www.google.com/?gws_rd=ssl_bnm_redirect=http://google.com
              Source: {F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.drString found in binary or memory: https://www.google.com/?gws_rd=ssl_bnm_redirect=http://google.com/?gws_rd=ssl
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://www.google.com/_/og/promos/
              Source: {F14FAF31-15AF-11EC-90E5-ECF4BB2D2496}.dat.7.drString found in binary or memory: https://www.google.com/index.php?url_bnm_redirect=http://google.com/?gws_rd=ssl_bnm_redirect=http://
              Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.drString found in binary or memory: https://www.google.com/log?format=json&hasfast=true
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://www.google.com/search?gws_rd%3Dssl%26q%3Dnebulae%26um%3D1%26ie%3DUTF-8%26tbm%3Disch%26csf%3D
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://www.google.com/url?q=https://www.google.com/chrome/download-chrome-for-search/%3Fbrand%3DOKW
              Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.drString found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
              Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
              Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
              Source: rs=AA2YrTtiIgpyWC3dfQkzVoOu4jFUo5DWgw[1].js.9.drString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/search_black_24dp.png
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.auSrFW-FX90.O/rt=j/m=qabr
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.auSrFW-FX90.O/rt=j/m=qdsh/d=1/ed=1/rs=AA2YrTtiIgpyWC3
              Source: LM1X3BMT.htm.9.drString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.wtXa61WU3WQ.L.X.O/m=qcwid/excm=qaaw
              Source: cd.exeString found in binary or memory: https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding
              Source: cd.exeString found in binary or memory: https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite
              Source: cd.exeString found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guides
              Source: cd.exeString found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guideshttps://www.mendeley.com
              Source: cd.exeString found in binary or memory: https://www.mendeley.com/library
              Source: cd.exeString found in binary or memory: https://www.mendeley.com?dgcid=Mendeley_Desktop_Help-menu-website
              Source: cd.exeString found in binary or memory: https://www.sysinternals.comntdllRtlInitUnicodeStringNtOpenDirectoryObjectNtQuerySectionNtQueryDirec
              Source: cd.exeString found in binary or memory: https://www.virustotal.com/about/terms-of-service%s
              Source: cd.exeString found in binary or memory: https://www.virustotal.comPOST4e3202fdbe953d628f650229af5b3eb49cd46b2d3bfe5546ae3c5fa48b554e0capikey
              Source: cd.exeString found in binary or memory: https://www.zotero.org/
              Source: unknownHTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateHost: menehleibe.comContent-Length: 12Connection: Keep-AliveCache-Control: no-cacheData Raw: 69 63 3d 30 26 66 62 3d 74 72 75 65 Data Ascii: ic=0&fb=true
              Source: unknownDNS traffic detected: queries for: menehleibe.com
              Source: global trafficHTTP traffic detected: GET /aS/feedclick?s=PmRMc57CnhYhj70e-I9ky5kfJerKhwxlfSMU3tyux_x5AGZrWUPSJmPzN2c9f2E7_vAN-6p8GpmDZG8TCuTZ6pDoEwlyap2kZsgzB4lH00ug8e5ExIzs-GByJkw_hnoLHWVUL2gXgUyatsBFMaSTc1RQ5RxkQPBqyyTn3ctXNy_0uSHRSxkmOy8VHMc85GIOT4jmse8Hco-FpMlb9RHx56VxjN2QtFN197vLrfkZ9qE509t5aRYfk0fTaZIGwGtVFx6Cjc1It8vKVodI2QoCnLeLuzBqxrSYHinyRIiR6SzTXaBf9PH6fc538M5WEvMvhjauUHGubj961r75KUjKtSXnHatHqEuiyuTMyWjRyjCKMGCurZS8_bcUa4tJgkiTyXdC5k_Q4CBuzEhgKlo_tO4ZCxjCqbxJk5Qzkw_MwwsEKwa-Bh_puw260HEYWHbHAxhhGdlJM-I_t1xxhVv3SQmb2uwb95RlGM7AqpOHVVF6EgPkt4a55MyZVnXuVkgrUl1akVOciihIlqaZoSoe2Ylzr70WFqgr6AhoabQSBzCjuJYNp4gwUYV0VWvRZajmUWO_Vxo8ML-hjUsrPH807AqUmDxuY4v8inEoo-y-qnyU06p2Uh3Pw9YdNYD58IK4CKCGcA-Uam9dcss-T-5Iub4J15H67wFZ2snzzWpWzEKC9XUORoe_dbnEgAhHx_n7Z4tVOYdW5lW6ruDPqaeHc0uzcTU9bgm_in-W2l5vorxPFmQaTFIcy4B5guOnMJ5yZHLQD576xYWbP03aM83dTwE3kMpnzCC1V5B-3hXd5pzfx17GSZUu2KHXImolykrmTazGZKmMBhE5rzai4ARXglTM7lPAlIssdjgnlOgBObVnL6dMrNPV4wycVX3s5OxtJMXedCWE2r5biNOcX3y5Pmw-0BUdBZv7MvlSTP2Fk9AaabOem2Q73GpjsG_dwXVnUc2FH6zZuqWu2Dli66C-XucADfX2tBPlR3prQOfp40mttv00_iCR6q6fLI9QZgGY11WgfO3qdEgV2xwoj0eGTIxBicwTEMicE9X3AYQsCpAEn3pdnGSoQpHTA7Kz9fo94mKnTULy2teQgTesP9hhxLreOeHrbCzwHSSbH-FJZx15JZAYCxI8gV6bvS4IWlDg_vysGgTqrjiFCjhA5kocz54NYxtQVvyXSZspRWMKjI1QYN8ennj2JVFvWfYyzeLbGr1ovqBCtNBvJi2ztcTgBlsW0SM8XIsRgd4QMcWZcycyUPzb9Wd1bDxFTAWmSXH43ynD5UObBi5FyNDw8qKKmoCnfedHiztWYQxKotKUGaKd1m_k2iMIc5SBU1Vi7-MGW4_Mi4WYIzJL61eBLaioPhng2BQ6PDt8aAWdDMho29RkRFHVPIQb3W3nWMGo8srLOHYnfrFRuEDgcm6cqkr2IQD0T7sB-GexA77NdWEi2cdlkkLEB146pQ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: mybetterdl.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /adServe/domainClick?ai=qR193HoKV_skvRDJ1Xl7Z2EMSqLSlBmindZv5NojCHOwn03uCMUnWWP1f_rG7YbjKg1peh-_obzBIj3uZHPpnj9EVoFzCvr6nUsZVZhWVPP-29LJmEHdmZ7b6Qy9a1mHTiLNxNNj-331YCaynPT02WREUdU8hBvdAVtzW-BnG_JiVnQIGgxQDiU7ugF2M-yuSZspRWMKjI0oZaL4_NY6BA8B78vhYDGtjMUdyxHqWTbxnarhY6PRQCoyupr1mhPBjhdEqJB6Nj2XmDvYXWw9hp-qFZn5gpnPqtE9sbJicJwX2fEbVjxB9kp2QAzznS8_6fjhgUFt3sQISiZ3D8mF7LCm2HeI0S938_gGwpSXr3tSAMcY_H2x07HFovOGSDpNKiXhLmiyflhHQ2DhJtv57Pgpt-TBvcxCEwrLEAaOW_go6oM85zEqQcFJgSFbjHo8VjLddbnKrYw&ui=PmRMc57CnhbNSfHhL5kCGmvi5v6ZZrF7dLiTNq3P25qokS0sVeF3FkXI0PDyooqap4CS6zytrLbvtEDBZZLJWA-odODn3W3LTPqV0hvm1VqP--qZkGGf_8AXd3hExnhV&si=1&oref=a606ca39dc85b39bdaa2bf88832fa198&optunit=SZspRWMKjI3Y6yHw-JV9WQ&rb=mhdAWEBiphk&rr=1&abtg=0 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: p226681.mybetterdl.comCookie: rhid=79630578833
              Source: global trafficHTTP traffic detected: GET /click.php?key=qxr7sx5xq96osnrqgm1a&subid=87057224030&bid=0.025&site=413999995&source=413999995&clickid=87057224030&browser=Internet+Explorer+11&geo=CH&campaign_name=CH&device=Desktop&os=Windows+10 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: gertrk.com
              Source: global trafficHTTP traffic detected: GET /nlp/index.php?url_bnm_redirect=http://google.com HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://menehleibe.com/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: gertrk.comCookie: uclick=16bzxofy; uclickhash=16bzxofy-16bzxofy-h9-0-ci-wh-4p-268f1c
              Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gertrk.comConnection: Keep-AliveCookie: uclick=16bzxofy; uclickhash=16bzxofy-16bzxofy-h9-0-ci-wh-4p-268f1c
              Source: global trafficHTTP traffic detected: GET /?gws_rd=ssl HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.google.com
              Source: global trafficHTTP traffic detected: GET /images/branding/googlelogo/2x/googlelogo_color_272x92dp.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.google.com/?gws_rd=sslAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.google.comConnection: Keep-AliveCookie: CONSENT=PENDING+509
              Source: global trafficHTTP traffic detected: GET /gen_204?ei=rKtAYY2rHY25kwWZrp3YAw&vet=10ahUKEwiNsaLc0P7yAhWN3KQKHRlXBzsQhJAHCBQ..s&gl=GB&pc=SEARCH_HOMEPAGE&isMobile=false HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.google.com/?gws_rd=sslAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.google.comConnection: Keep-AliveCookie: CONSENT=PENDING+509
              Source: global trafficHTTP traffic detected: GET /images/searchbox/desktop_searchbox_sprites318_hr.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.google.com/?gws_rd=sslAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.google.comConnection: Keep-AliveCookie: CONSENT=PENDING+509
              Source: global trafficHTTP traffic detected: GET /images/bjM3gVEtKlUeWm2NnKw3/UycpbcugJuZhqNGVGh8/kwk4esZ_2F2xjDYD_2BSa_/2F328cjxY6AQM/kA5SneVc/JKL1AVTBXoV77D1JaKVgbri/d8lSYHOR5C/_2FOPoUzuMMso_2Bp/A_2Ffbx4wppa/aSm6IWIjM6R/Y44GbYY.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: menehleibe.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: menehleibe.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.google.com
              Source: unknownHTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 173.192.101.24:443 -> 192.168.2.6:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.139.96:443 -> 192.168.2.6:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 168.119.139.96:443 -> 192.168.2.6:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.102.106:443 -> 192.168.2.6:49751 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR

              E-Banking Fraud:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000001.00000003.408326958.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.408240054.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.407536237.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.429559902.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.408480874.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.408113887.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.407620205.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.408655668.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.408034062.0000000003138000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: cd.exe PID: 6888, type: MEMORYSTR

              System Summary:

              barindex
              Writes or reads registry keys via WMIShow sources
              Source: C:\Users\user\Desktop\cd.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Users\user\Desktop\cd.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\Desktop\cd.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Writes registry values via WMIShow sources
              Source: C:\Users\user\Desktop\cd.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Users\user\Desktop\cd.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\Desktop\cd.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: cd.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
              Source: C:\Users\user\Desktop\cd.exeCode function: 1_2_0040323C
              Source: C:\Users\user\Desktop\cd.exeCode function: 1_2_00401873 GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,LdrInitializeThunk,
              Source: C:\Users\user\Desktop\cd.exeCode function: 1_2_0040171A NtMapViewOfSection,RtlNtStatusToDosError,
              Source: C:\Users\user\Desktop\cd.exeCode function: 1_2_0040202A NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,
              Source: C:\Users\user\Desktop\cd.exeCode function: 1_2_004022D1 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,memset,
              Source: C:\Users\user\Desktop\cd.exeCode function: 1_2_004020E9 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,LdrInitializeThunk,GetModuleHandleA,LdrInitializeThunk,memcpy,
              Source: C:\Users\user\Desktop\cd.exeCode function: 1_2_00402F98 memset,memcpy,NtSetContextThread,LdrInitializeThunk,RtlNtStatusToDosError,GetCalendarWeekNumber,GetLastError,
              Source: C:\Users\user\Desktop\cd.exeCode function: 1_2_00401646 NtGetContextThread,LdrInitializeThunk,RtlNtStatusToDosError,
              Source: C:\Users\user\Desktop\cd.exeCode function: 1_2_00402550 NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,memset,LdrInitializeThunk,LdrInitializeThunk,memcpy,
              Source: C:\Users\user\Desktop\cd.exeCode function: 1_2_0040345D NtQueryVirtualMemory,
              Source: C:\Users\user\Desktop\cd.exeCode function: 1_2_004018E5 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
              Source: C:\Users\user\Desktop\cd.exeCode function: 1_2_004031F0 NtGetContextThread,
              Source: C:\Users\user\Desktop\cd.exeCode function: 1_2_004012A3 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
              Source: cd.exeBinary or memory string: zD%s\service_log.txtERROR! %s %s : %s%s\StringFileInfo\040904b0\OriginalFilename\installpath_SkipServiceVerificationChecks%s\bin\service_minimum_versions.vdf%s\service_minimum_versions.vdfVersion file missing or corrupt: %s vs cd.exe
              Source: cd.exeBinary or memory string: M\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs cd.exe
              Source: cd.exeStatic PE information: Number of sections : 71 > 10
              Source: cd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: cd.exeReversingLabs: Detection: 60%
              Source: cd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\cd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\cd.exe 'C:\Users\user\Desktop\cd.exe'
              Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4568 CREDAT:17410 /prefetch:2
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4568 CREDAT:17410 /prefetch:2
              Source: C:\Users\user\Desktop\cd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
              Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F14FAF2F-15AF-11EC-90E5-ECF4BB2D2496}.datJump to behavior
              Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF1C6E09CA4CF5EBDD.TMPJump to behavior
              Source: cd.exeBinary string: Sysinternals RocksRtlNtStatusToDosErrorntdll.dllRtlInitUnicodeStringNtOpenFileNtFsControlFile\Device\Srv2\Device\LanmanServer\Device\LanmanRedirector\%s\ipc$Use PsKill to terminate the remotely running program.
              Source: cd.exeBinary string: HNtOpenKeyExNtCreateKey: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\registry_dispatcher.ccConsider modifying policy using this policy rule: REG_ALLOW_ANYNtOpenKey: STATUS_ACCESS_DENIED\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dll
              Source: cd.exeBinary string: A@\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dll
              Source: cd.exeBinary string: A4057363broker_pdfshell_sh/if/id %uAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exe\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Software\Adobe\Acrobat Reader\DC\FeatureStateSoftware\Adobe\Adobe Acrobat\DC\FeatureState
              Source: cd.exeBinary string: zl`l@`l@aFatlTraceGeneral\??\\Device\\\?\UNC\\??\UNC\/?/UNC/atlTraceCOM\?\UNC\\??\pipe\\??\mailslot\atlTraceQI\\?\\\.\\\atlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib:Invalid DateTimeInvalid DateTimeSpanMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exceptionMath overflow exception (cont.) (cont.)Math overflow exceptionrSOFTWARE\Adobe\AcroPerfMath overflow exceptionbLaunchTimingMath overflow exceptionbExtendedProfilingMath overflow exceptionbDetailedHandlerProfilingMath overflow exceptiontOutputDirMath overflow exceptionMath overflow exceptionlabeled blockMath overflow exceptionMath overflow exceptionbFilemonMarkersrP[h`+Md[h
              Source: cd.exeBinary string: FNtCreateSection: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\signed_dispatcher.ccreal_path: NtOpenSection: STATUS_ACCESS_DENIED\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dll
              Source: cd.exeBinary string: M\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\SystemTopicsSysItemsSystemFormatsCF_TEXTStatusReadyHelpYou are connected to Adobe Acrobat.ReturnMessage
              Source: cd.exeBinary string: L\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Ntdll.dllNtQueryInformationProcessSTATIC_acroS_winAcroPDF.dllAcroPDFImpl.dllNPPdf32.dllPDFPrevHndlr.dllPDFPrevHndlrShim.dllPDFThumbHndlr.dllPDFShell.dllPDFPropHndlr.dllAcroSBL/b/id/id4057363/if%s_%lu_%lu/acGeckoPluginWindowplugin-container.exe4021007AcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeSTATICswBrowser|acr|\FNP_Act_Installer.dll|acr|\SynchronizerApp.exe|acr|\Javascripts\JSByteCodeWin.bin|acr|\AdobeUpdater.dll|sys|\ddraw.dll|sys|\dciman32.dllAdobeAcrobatSpeedLaunchCmdWndSOFTWARE\Adobe\Adobe Acrobat\DC\AcroSpeedLaunchAcrobatSDIWindowAdobeAcrobatAcrobatTimerWndAcrobat runningMcShieldAvSynMgrnavapsvcAntiVirServiceAVPekrnIsVirusCheckerPresentServicesActivefound servicerunningIsVirusCheckerPresent doneAbortWM_CLOSEerr in TimeoutOrExitWaitUntilTimeoutOrMustExitOrVirusCheckerPresenterr in checkerSetThreadPriority worker thread lownot all ops, go into vc modewaitingmsvcr100.dllmsvcp100.dlldo Opsworker throw!worker doneTerminate thread!
              Source: cd.exeBinary string: A\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ F] F]P
              Source: cd.exeBinary string: \\\?\.dll.apibad allocationSOFTWARE\Adobe\Adobe Acrobat\DC\InstallPathSOFTWARE\Adobe\Acrobat Reader\DC\InstallPath|ci||cpg||cc||cpt||cpe||cf||csu||cr||cst||cbb||csm||cdd||cdr||cn||cnh||cfo||ct||ccsm||ccp||ccs||ccd||cad||cph||cas||cca||ccf||cic||cco||ch||cmm||cla||ccad||cpf||cmp||cpfc||ccdc||crs||crl||ccam||cat||tmp||win||sys||root||ladl||acr||acrp||rdr||rdrp|An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.atlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinAcroUnloadStubMsgAcroReloadStubMsgAcrobatUnloadMsgAcrobatReloadMsgAcroStubUnloadWClassAcroStubUnloadWClassAcroStubUnloadWClassatlTraceNotImplatlTraceAllocationSOFTWARE\Adobe\Adobe Acrobat\DC\LanguageUISOFTWARE\Adobe\Adobe Acrobat\DC\LanguageUIAcroUnloadStubMsgAcroReloadStubMsgatlTraceExceptionAcroRd32.dllAcrobat.dllAcRd32_D.dllAcroDbg.dllSOFTWARE\Adobe\Adobe Acrobat\DC\appvatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibAcrobat.dllAcrobat32OL.dllSoftware\Adobe\Adobe Acrobat\DC\SecurityDEPSoftware\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDownbEnableATL7Compatkernel32.dllGetProcessDEPPolicykernel32.dllSetProcessDEPPolicyntdll.dllNtSetInformationProcess\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\AppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt /if/if pdfshell_prev/CRlaunchCEFInLowIntegrityAdobeAcrobatSpeedLaunchCmdWndAdobeReaderSpeedLaunchCmdWndAcrobat Viewer Safe DDEacrobat_sbxEDIT/if/CR/ac/actuser32.dllSetProcessDPIAwareacrobatres.dllAXE8SharedExpat.dll/dllLoad AppInitEventbProtectedModeSOFTWARE\Policies\Adobe\Adobe Acrobat\DCbIPMTurnedPMONbLastExitNormaliForceExitReasonSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\ExitSectionSoftware\Adobe\Adobe Acrobat\DC\ExitSectioniPMSilentOffiNumSessionsSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegediSessionThresholdiPMSilentOffSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegedbProtectedMode\x86\Acrobat\Acrobat.exe/dllLoadbLTEnableDLLOptimizationAdobe AcrobatSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdownDC_AcroAppTimerAcroExe load doneacrord32_super_sbx/if/ifpdfshell_prev/slModebAllowWindowCreationOnBrowserSoftware\Adobe\Adobe Acrobat\DC\PrivilegedUseSandboxModalWndReparenting/slModeopenSoftware\Adobe\Adobe Acrobat\DC\AVGeneraliSLExitTimeHighPartiSLExitTimeLowPartFatal ErrorAcrobat failed to load its Core DLLhttps://helpx.adobe.com/acrobat/kb/acrobat-failed-load-core-dll.htmlAcroWinMainSandbox\??\AcroviewA21CALS_PreflightDdeService\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device
              Source: cd.exeBinary string: fH', pattern = ', semantics = , subsystem = error = Failed to add sandbox rule.D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\sandbox_policy_base.ccinterceptions setup failed - error:process initialization failed - error:g_shared_delayed_integrity_levelg_shared_delayed_mitigationsCreateAppContainerToken\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ F]
              Source: cd.exeBinary string: #O\\.\\\?\CreateNamedPipe: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\named_pipe_dispatcher.ccname: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\invalid stoull argumentstoull argument out of range
              Source: cd.exeBinary string: Zh#M\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\dZh0
              Source: cd.exeBinary string: DEST\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Embed SourceEmbedded ObjectatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\AcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibCONTENTSPDFCONTENTSCONTENTS\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\atlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibGetOpenFileNameW`
              Source: cd.exeBinary string: M\Device\Mup\Device\\SystemRoot\\Device\LanmanRedirector\
              Source: cd.exeBinary string: NBrokerEvent0x%XFailed to construct job object for sandbox process - error:D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\broker_services.ccFailed to construct restricted tokens for sandbox process - error:4277065__security_cookieg_sandbox_winsta_handleg_sandbox_desktop_handleg_sandbox_main_thread_idg_broker_already_in_job_that_prohibits_breakawayg_is_compute_only_sandboxg_under_appv_virtualizationg_in_pm_appcontainerg_in_pv_appcontainer%sg_appcontainer_named_object_directory_handleg_appcontainer_object_dirg_broker_process_idFailed to add target - error:AcroBrokerSessionEndMsgListenerClassAcroBrokerSessionEndMsgListener\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
              Source: cd.exeBinary string: \\\?\.dll.apibad allocationSOFTWARE\Adobe\Adobe Acrobat\DC\InstallPathSOFTWARE\Adobe\Acrobat Reader\DC\InstallPath|ci||cpg||cc||cpt||cpe||cf||csu||cr||cst||cbb||csm||cdd||cdr||cn||cnh||cfo||ct||ccsm||ccp||ccs||ccd||cad||cph||cas||cca||ccf||cic||cco||ch||cmm||cla||ccad||cpf||cmp||cpfc||ccdc||crs||crl||ccam||cat||tmp||win||sys||root||ladl||acr||acrp||rdr||rdrp|An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.atlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinAcroUnloadStubMsgAcroReloadStubMsgAcrobatUnloadMsgAcrobatReloadMsgAcroStubUnloadWClassAcroStubUnloadWClassAcroStubUnloadWClassatlTraceNotImplatlTraceAllocationSOFTWARE\Adobe\Adobe Acrobat\DC\LanguageUISOFTWARE\Adobe\Adobe Acrobat\DC\LanguageUIAcroUnloadStubMsgAcroReloadStubMsgatlTraceExceptionAcroRd32.dllAcrobat.dllAcRd32_D.dllAcroDbg.dllSOFTWARE\Adobe\Adobe Acrobat\DC\appvatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLibAcrobat.dllAcrobat32OL.dllAcroRd32.dllSoftware\Adobe\Adobe Acrobat\DC\SecurityDEPSoftware\Policies\Adobe\Acrobat Reader\DC\FeatureLockDownbEnableATL7Compatkernel32.dllGetProcessDEPPolicykernel32.dllSetProcessDEPPolicyntdll.dllNtSetInformationProcessAppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt /if/if pdfshell_prev/CRlaunchCEFInLowIntegrityAdobeAcrobatSpeedLaunchCmdWndAdobeReaderSpeedLaunchCmdWndAcrobat Viewer Safe DDEacrord32_sbxEDIT/if/CR/ac/actuser32.dllSetProcessDPIAware/pass bWasUserPassThroughedSoftware\Adobe\Acrobat Reader\DC\AVGeneralacrord32res.dllAXE8SharedExpat.dll/dllLoad AppInitEvent/dllLoadbLTEnableDLLOptimizationAcroExe load doneSOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockdownDCAcrobat Reader_AcroAppTimeracrord32_super_sbx/if/ifpdfshell_prev/slModebAllowWindowCreationOnBrowserUseSandboxModalWndReparentingSoftware\Adobe\Acrobat Reader\DC\Privileged/slModeSoftware\Adobe\Acrobat Reader\DC\AVGeneraliSLExitTimeHighPartiSLExitTimeLowPartFatal ErrorAcrobat failed to load its Core DLLhttps://helpx.adobe.com/acrobat/kb/acrobat-failed-load-core-dll.htmlopen\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\AcroWinMainSandboxAcroviewR21\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\unordered_map/set too longinvalid hash bucket count
              Source: cd.exeBinary string: ONtCreateFile: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\filesystem_dispatcher.ccreal path: NtOpenFile: STATUS_ACCESS_DENIEDNtQueryAttributesFile: STATUS_ACCESS_DENIEDNtQueryFullAttributesFile: STATUS_ACCESS_DENIEDNtSetInformationFile: STATUS_ACCESS_DENIED\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\kernel32.dll
              Source: cd.exeBinary string: 4`@dI0nI 7H\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\CONTENTSCONTENTSAcrobat DocumentPDFCONTENTSLink Source DescriptorLink Source DescriptorObject DescriptorObject DescriptorEmbed SourceEmbed SourceLink SourceLink SourceEmbedded ObjectEmbedded ObjectCustom Link SourceCustom Link SourceObjectLinkObjectLinkCF_BITMAPCF_ENHMETAFILECF_METAFILEPICTCF_DIBNotesDocInfoNotesDocInfoNoteshNoteNoteshNoteLink Source DescriptorObject DescriptorEmbedded ObjectEmbed SourceCustom Link SourceLink SourceObjectLinkNotesDocInfoNoteshNoteAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib
              Source: cd.exeBinary string: zl`l@`l@aFPDFMOutlook.PDFMOutlookSubjectEntryID\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
              Source: cd.exeBinary string: \"}{\LogTransport2.exeLogTransport2.exeNOVALUE\verclsid.exeverclsid.exe/S/C/I/XIMEPADSV.EXEEmbeddingimjpuex.exeimjpdct.exeifSharedPathModulePathSOFTWARE\Microsoft\IMEJPSOFTWARE\Microsoft\IMEJP\%s\directories\ime\shared\acrotray.exe/Q\acrodist.exe--UseSystemFonts--EditSecurity-C:7--HWND:-J/E/N/P/J/O.pdf.psupdatepvbpreferencepersistmachineiddontsendcreatedumpsendlogsolutionurlopenadobetermsandconditionsopensolutionurldummy\CRWindowsClientService.exeSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Photoshop.exeSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Illustrator.execImageEditorcObjectEditorSOFTWARE\Classes\Applications\mspaint.exe\shell\edit\commandbEnableEditUsingacrobat_sbxSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\notepad++.execJSEditorSOFTWARE\Classes\Applications\notepad.exe\shell\edit\commandD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\process_thread_dispatcher.ccexe name: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dll
              Source: cd.exeBinary string: AcroCEF\AcroCEF.exeAcroCEF.exeHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXT\Device\HarddiskVolumepipe\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\4202392~NtQueryObjectRtlNtStatusToDosErrorRtlCompareUnicodeString\Device\WinDFSA:CdmRedirectorVolume\Device\HarddiskVolumeDirectoryFileEventSectionKey<>:"\|?*Software\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDownbEnableSameObjectCheckbSupportRDSUPDSYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettingsUvhdEnabledbFilePathPreprocessingShortcutEnabled
              Source: cd.exeBinary string: {l`l@`l@aF\??\\Device\x
              Source: cd.exeBinary string: |l`l@`l@aFatlTraceGeneralatlTraceCOMatlTraceQI\??\atlTraceRegistrar\Device\\\?\UNC\atlTraceRefcount\??\UNC\/?/UNC/\?\UNC\atlTraceWindowing\??\pipe\\??\mailslot\\\?\atlTraceControls\\.\\\atlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPI%d.%u.%d/cr/bbEnforceReadRestrictionsSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdownbEnableAlternateLaunchDesktopSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdownbEnableAlternateTempDirectorySoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegedbEnableHeapMitigationsbEnableProcessIntegrityMitigationsbEnableEnhancedPolicyRestrictionsbEnableGlobalAtomRestrictionsbPreventCreatingExecutablesbEnableBinaryPlantingProtectionbDisableMultiplePrefetchiPMAppContainerStateSoftware\Adobe\Adobe Acrobat\DC\AVGeneraliSandboxExitCodeSoftware\Adobe\Adobe Acrobat\DC\AVGeneral\cSandboxLaunchFailureiOptionSelectediLastErrorValueiIsBrowserLaunchiIsCaptiveReaderLaunchiSandboxResultCodeiIsProtectedViewbIPMEnabledAppContainerpdfshell_prevbEnableStrictHandleCheckProtectionbEnableNonsystemFontRestrictionsbPVAppContainerFallback0x%XbEnableRemoteDllLoadRestrictionsbPMAppContainerFallbackiNumSessionsbEnableLowLabelDllLoadRestrictionsSoftware\Adobe\Adobe Acrobat\DC\AVGeneraliNumSessionsSoftware\Adobe\Adobe Acrobat\DC\AVGeneral\cSandboxLaunchFailure/if.Software\Adobe\Adobe Acrobat\DC\PrivilegedbEnableProtectedModeAppContainer/CRCoInitializeSecurity() failed, result=0xSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown/if/mspiPMAppContainerLaunchFailureFallbackSandbox Process Initialization Failed - error:/CRDebugbEnableProtectedViewAppContainer/ICSbEnableProtectedModeAppContainerbIPMTurnedPMONbPMSandboxFallbackbProtectedModeFailed to create a security descriptor4057363MbAllowFallbackForAdminEnforcedSandbox/b/l/ifDbEnableAppContainerForDebuggingbEnableProtectedModeAppContainer/idBSoftware\Adobe\Adobe Acrobat\DC\PrivilegedbProtectedModeHandshake with Sandbox Process FailedD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cppbProtectedMode/CRNoRemoveD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cppbProtectedMode/CRInvalid DateTimeSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegedSoftware\Adobe\Adobe Acrobat\DC\PrivilegediPVAppContainerLaunchFailureFallbackReleaseInvalid DateTimeSpanbEnableProtectedViewAppContainer/CR:bEnableProtectedViewWin32kLockdownD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cppMakeScopedAbsoluteSd() failedAcrobatAppIDD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cpp/bAcroCEF\AcroCEF.exeCLSIDD:\B\T\Acrobat\Viewer\win\EXEs\ViewerExe\ChromeSandboxLaunch.cppUnknown process type/r/VAcroCEF\RdrCEF.exeRdrCEF.exeAcroCEF.exe
              Source: cd.exeBinary string: O\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ntdll.dllkernel32.dll
              Source: cd.exeBinary string: cadialhk.dllacpiz.dllactivedetect32.dllactivedetect64.dllairfoilinject3.dllakinsofthook32.dllassistant_x64.dllatcuf64.dllavcuf64.dllavgrsstx.dllbabylonchromepi.dllbtkeyind.dllcmcsyshk.dllcmsetac.dllcooliris.dllcplushook.dlldockshellhook.dlleasyhook32.dlleasyhook64.dllesspd.dllgoogledesktopnetwork3.dllfwhook.dllguard64.dllhookprocesscreation.dllhookterminateapis.dllhookprintapis.dllimon.dllicatcdll.dllicdcnl.dllioloHL.dllkloehk.dlllawenforcer.dlllibdivx.dlllvprcinj01.dllmadchook.dllmdnsnsp.dllmoonsysh.dllmpk.dlln64hooks.dllnpdivx32.dllnpggNT.desnpggNT.dllnphooks.dlloawatch.dllpastali32.dllpavhook.dllpavlsphook.dllpavshook.dllpavshookwow.dllpctavhook.dllpctgmhk.dllpicrmi32.dllpicrmi64.dllprntrack.dllprochook.dllprotector.dllradhslib.dllradprlib.dllrapportnikko.dllrlhook.dllrooksdol.dllrndlpepperbrowserrecordhelper.dllrpchromebrowserrecordhelper.dllr3hook.dllsahook.dllsbrige.dllsc2hook.dllsdhook32.dllsguard.dllsmum32.dllsmumhook.dllssldivx.dllsyncor11.dllsystools.dlltfwah.dllwblind.dllwbhelp.dllwindowsapihookdll32.dllwindowsapihookdll64.dllwinstylerthemehelper.dllD:\B\T\Imports\Open\Chrome\Chrome\src\services\service_manager\sandbox\win\sandbox_win.ccCreateAppContainerProfileSandbox container for Acrobat Reader Protected ModeAdobe Acrobat Reader DC Protected ModeAdobe.AcrobatReaderDC.ProtectedMode|bLTEnableConcurrencyInBrokerInit01DWSPY36.dll:1|CwComijt.dll:1|cscore.dll:1|vozokopot.dll:1|DreyeiMHook.dll:1|Dev2Dl32.dll:1|Nsccor01.dll:1|nsccor03.dll:1|DSTermPr.dll:1|jesterrun0.dll:1|DreyelMhook.dll:1|druver.dll:1|vpnlsp_x32.dll:1|msnhook.dll:1|hooker.dll:1|pcsw.dll:1|AntiExploitCore.dll:1|netchatidle.dll:1tDllLoadPermtDllLoadPerm_Computeonly4220220S-1-15-2-3805855342-111495108-2588610986-3809954156-747251120-2599371852-2534338891policy error:acrobat.dll\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\RtlInitUnicodeStringntdll.dll\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
              Source: cd.exeBinary string: NUnknownDefaultNtCreateFileNtOpenFileNtQueryAttributesFileNtQueryFullAttributesFileCreateNamedPipeWNtOpenThreadNtOpenProcessNtOpenProcessTokenNtOpenProcessTokenExCreateProcessWNtCreateKeyNtOpenKeyCreateThreadNtCreateSectioncompute-only-brokercompute-only-rendereripc-co-channelipc-rdr-channeltyperenderershell-broker-channelipc-cef-channellocaleservice-sandbox-typenonenone_and_elevatednetworkppapiutilitycdmprint_compositoraudiosharing_servicespeech_recognitionvideo_capturepdf_conversionproxy_resolverxr_compositingallow-no-sandbox-joballow-sandbox-debuggingdisable-gpu-sandboxdisable-namespace-sandboxdisable-seccomp-filter-sandboxdisable-setuid-sandboxdisable-win32k-lockdownenable-audio-service-sandboxgpu-sandbox-allow-sysv-shmgpu-sandbox-failures-fatalno-sandboxallow-third-party-modulesadd-gpu-appcontainer-capsno-sandbox-and-elevatedadd-xr-appcontainer-capsgpu-processnacl-brokernacl-loaderppapi-brokerppapiutilityservicezygotentdll.dll\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\@
              Source: cd.exeBinary string: A\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ControlH1`@dI0nIPdI\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\SystemTopicsSysItemsSystemFormatsCF_TEXTStatusReadyHelpYou are connected to Adobe Acrobat.ReturnMessage 2`@dI0nI 7Hp2`
              Source: cd.exeBinary string: GCreateEvent: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\sync_dispatcher.ccOpenEvent: STATUS_ACCESS_DENIEDConsider modifying policy using these policy rules: EVENTS_ALLOW_ANY\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
              Source: cd.exeBinary string: H\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\IsWow64Process2SetDefaultDllDirectoriesSetProcessMitigationPolicy\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\NtSetInformationProcesssecurity descriptor - error:D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\target_process.ccCreateProcessAsUserW failed to create sandbox process - error:job object - error:set thread token - error:g_shared_sectiong_shared_IPC_sizeg_shared_policy_size\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F] F]#B
              Source: cd.exeBinary string: >`\Device\FileInfo%s%s%c:Superfetchinfo: %x Data: %x
              Source: cd.exeBinary string: 3`@gI84`pfI\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
              Source: cd.exeBinary string: cCZECSYGREELLSUOFINPOLPLKRUMROMTURTRKMNGMONESPESN\Locale\\brdlang32.Software\Adobe\Adobe Acrobat\DC\Language\current\brdlang32SYSTEM\CurrentControlSet\Control\FileSystemLongPathsEnabled\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\`
              Source: cd.exeBinary string: cnullbooleanintegerdoublestringbinarydictionarylist\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
              Source: cd.exeBinary string: :Zone.Identifierfeatmonitorapp.exeIPTip_Main_WindowSoftware\Classes\CLSID\{054AAE20-4BEA-4347-8A35-64A533254A9D}\LocalServer32%CommonProgramFiles%CommonProgramW6432Software\Adobe\Adobe Acrobat\DC\AVGeneralbProtectedModebHasAcrobatConsentDCSoftware\Adobe\Acrobat Reader\DC\PrivilegedContinuous.lnk\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\SeChangeNotifyPrivilegeS:(ML;;;;;)S-1-16-16384S-1-16-12288S-1-16-8192S-1-16-6144S-1-16-4096S-1-16-2048S-1-16-0NtCreateLowBoxToken\Sessions\%d\AppContainerNamedObjects\%lsNtCreateDirectoryObject\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ F] F] F] F] F] F] F] F] F] F] F] F] F] F] F]0
              Source: cd.exeBinary string: IDocOpenDocPrintFilePrintFilePrintExFilePrintSilentFilePrintSilentExFilePrintToFilePrintToExFileTrustedPrintToExFileTrustedPrintSilentExFileTrustedPrintExFileOpenUntitledFileOpenFileOpenExFileOpenMinimizedFileTrustedOpenMinimizedFileTrustedOpenExFileOpenWithParamsFileTrustedOpenWithParamsDocOpenDocPrintFilePrintFilePrintExFilePrintSilentFilePrintSilentExFilePrintToFilePrintToExFileTrustedPrintToExFileTrustedPrintSilentExFileTrustedPrintExFileOpenUntitledFileOpenFileOpenExFileOpenMinimizedFileTrustedOpenMinimizedFileTrustedOpenExFileOpenWithParamsFileTrustedOpenWithParamsHandleAcroURLAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exe\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\list too longatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistrar_pptExport.emfatlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceException.tmp.pdfatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPICount
              Source: cd.exeBinary string: Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Reader /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplication{A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0DC\InstallerENU_GUIDPATHInstallLocationAcroExch.Document.DC.pdfTrunk{AC76BA86-0000-0000-7760-7E8A45000000}BetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonAcrobat.Document.SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.11.pdfSOFTWARE\Google\Chrome\NativeMessagingHosts\.com.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorLowerCoExVersionSOFTWARE\Adobe\Adobe Acrobat\DC\InstallerCoExRepairDone\NotificationAppxSOFTWARE\Adobe\Acrobat Reader\\DC\SOFTWARE\Adobe\Acrobat Reader\\DC\Installer\AppVersionAppVersionINSTALLUWPAPP=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 /qn/i msiexec.exe ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeAppDoNotTakePDFOwnershipAtLaunchAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstoreAdobe Reader XIRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrd
              Source: cd.exeBinary string: Gbad array new lengthmap/set too longstring too longVersionMajor{AC76BA86-0000-0000-7760-7E8A45000000}InstallLocationAcrobat\Acrobat.exeiEntitlementLevelbLoginStatusTrunkBetaDC\AVEntitlementSOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorVersionMinorInstallLocationAcrobat\Acrobat.exe#32770Learn MoreOkMsgBoxHookMsgBoxHookMsgBoxHookMsgBoxHook0x%XS:(ML;;NW;;;LW)rdrCEF_alternate_desktop_alr_alternate_desktop_rdrCEF_alternate_desktop_alr_alternate_desktop_\S-1-16-4096S:(ML;CIOI;NW;;;LW)TMP=TMP=TEMP=TEMP=LOCALAPPDATA=LOCALAPPDATA===invalid string positionvector too longSOFTWARE\Adobe\Adobe Acrobat\DC\Installer\bIsSingleClientAppbIsSCAcroAppInstalledSCAPackageLevelIsAcrInstalledInRdrModeSeShutdownPrivilegekernel32.dllGetNamedPipeServerProcessIdGetNamedPipeClientProcessIdS:(ML;;NW;;;LW)D:P(D;;GA;;;NU)(D;;GA;;;AN)(A;;GA;;;)(A;;GA;;;AC)\\.\pipe\AIPC_SRV\\\.\pipe\AIPC_CLI\Global\IEACROBATSTARTIPCNAMEDPIPECOMGlobal\ARM Update MutexGlobal\Acro Update MutexC:\thsnYaVieBodaTsnIorcAeBoda\\.\pipe\32B6B37A-4A7D-4e00-95F2-6F0BF3DE3E00SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDownbEnableEventViewerLoggingSoftware\Adobe\Acrobat Reader\DC\PrivilegedbEnableEventViewerLoggingAdobe ReaderDocOpenDocPrintFilePrintFilePrintExFilePrintSilentFilePrintSilentExFilePrintToFilePrintToExFileTrustedPrintToExFileTrustedPrintSilentExFileTrustedPrintExFileOpenUntitledFileOpenFileOpenExFileOpenMinimizedFileTrustedOpenMinimizedFileTrustedOpenExFileOpenWithParamsFileTrustedOpenWithParamsDocOpenDocPrintFilePrintFilePrintExFilePrintSilentFilePrintSilentExFilePrintToFilePrintToExFileTrustedPrintToExFileTrustedPrintSilentExFileTrustedPrintExFileOpenUntitledFileOpenFileOpenExFileOpenMinimizedFileTrustedOpenMinimizedFileTrustedOpenExFileOpenWithParamsFileTrustedOpenWithParamsHandleAcroURLAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exe\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\list too long4057363broker_pdfshell_sh/if/id %uAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exe\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Software\Adobe\Acrobat Reader\DC\FeatureStateSoftware\Adobe\Adobe Acrobat\DC\FeatureStateatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClient\??\\Device\atlTraceDBProvider\\?\UNC\\??\UNC\/?/UNC/atlTraceSnapin\?\UNC\\??\pipe\\??\mailslot\atlTraceNotImpl\\?\\\.\\\atlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPIAcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeSMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib%d.%u.%d/cr/bSOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdownbEnforceReadRestrictionsSOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockdownbEnableAlternateLaunchDesktopSoftware\Adobe\Adobe
              Source: cd.exeBinary string: Software\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Acrobat /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770/\ADelRCP.exeClick on 'Change' to select default PDF handler.pdfpropertiesShowAppPickerForPDF.exeProgram ManagerPROGMANClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfApplicationSOFTWARE\Adobe\Adobe Acrobat\{A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-BA7E-7E8A45000000}VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\.0DC\InstallerENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdfTrunk{AC76BA86-0000-0000-7760-7E8A45000000}BetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonAcrobat.Document.SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.11.pdfSOFTWARE\Google\Chrome\NativeMessagingHosts\.com.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj{AC76BA86-0000-0000-7760-7E8A45000000}VersionMajorLowerCoExVersionSOFTWARE\Adobe\Adobe Acrobat\DC\InstallerCoExRepairDone\RDCNotificationAppx\ADCNotificationAppx\NotificationAppxSOFTWARE\Adobe\Adobe Acrobat\\DC\SOFTWARE\Adobe\Adobe Acrobat\\DC\Installer\AppVersionAppVersionINSTALLUWPAPP=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 IS_COEX_REPAIR=1 /qn/i msiexec.exe/i AppDoNotTakePDFOwnershipAtLaunch ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qnmsiexec.exeAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Dev
              Source: cd.exeBinary string: O 3Eg_interceptionsNtMapViewOfSectionNtUnmapViewOfSectiong_originals\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Invalid Object foundD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\filesystem_policy.ccrequested path: actual path: Unexpected handle for path: Unexpected handle\/?/?\?:?:\\/?/?\UNC\Failed to process path (recursion detected): error code:Failed to process path:Unexpected error in path processing of:Unexpected error in source path processing of:::$DATA:$I30:$INDEX_ALLOCATION::$INDEX_ALLOCATION\\.\pipe\\\.\mailslot\Invalid path: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\\\?\pipe\\Device\NamedPipe\SameObject check failed: D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\named_pipe_policy.ccntdll.dllkernel32.dllNtAllocateVirtualMemoryNtCloseNtDuplicateObjectNtFreeVirtualMemoryNtProtectVirtualMemoryNtQuerySectionNtQueryVirtualMemoryNtSignalAndWaitForSingleObjectNtWaitForSingleObjectRtlAllocateHeapRtlAnsiStringToUnicodeStringRtlCreateHeapRtlCreateUserThreadRtlDestroyHeapRtlFreeHeap_strnicmpstrlenwcslenmemcpy_wcsnicmpswprintf_sNtQueryInformationThreadNtSetInformationFileNtDeleteValueKeyNtCreateMutantNtOpenMutantNtOpenSectionNtAddAtomNtFindAtomNtDeleteAtomNtQueryInformationAtomg_ntNtSetInformationThreadNtOpenThreadTokenNtOpenThreadTokenEx\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\NtSuspendProcessNtResumeProcessNtCreateProcessExntdll.dllInitializeProcThreadAttributeListUpdateProcThreadAttributeCreateProcessWAction: STATUS_ACCESS_DENIEDD:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\process_thread_policy.ccapp name: command line: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\ for: Unexpected D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\registry_policy.ccReal path: CreateKeyOpenKey\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Handle AccessCheck failed: D:\B\T\Imports\Open\Chrome\Chrome\src\sandbox\win\src\signed_policy.cc\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\NtQuerySymbolicLinkObjectNtOpenSymbolicLinkObject%d\Sessions\BNOLINKSNtCreateEventNtOpenEvent\??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\
              Source: cd.exeBinary string: \??\\Device\\\?\UNC\\??\UNC\/?/UNC/\?\UNC\\??\pipe\\??\mailslot\\\?\\\.\\\Ntdll.dllNtQueryInformationProcessSTATIC_acroS_winAcroPDF.dllAcroPDFImpl.dllNPPdf32.dllPDFPrevHndlr.dllPDFPrevHndlrShim.dllPDFThumbHndlr.dllPDFShell.dllPDFPropHndlr.dllAcroSBL/b/id/id4057363/if%s_%lu_%lu/acGeckoPluginWindowplugin-container.exe4021007AcroCEF\RdrCEF.exeAcroCEF\AcroCEF.exeRdrCEF.exeAcroCEF.exeSTATICswBrowser|rdr|\Javascripts\JSByteCodeWin.bin|rdr|\AdobeUpdater.dll|sys|\ddraw.dll|sys|\dciman32.dllAdobeReaderSpeedLaunchCmdWndSOFTWARE\Adobe\Acrobat Reader\DC\AcroSpeedLaunchAcrobatSDIWindowAdobeAcrobatAcrobatTimerWndAcrobat runningMcShieldAvSynMgrnavapsvcAntiVirServiceAVPekrnIsVirusCheckerPresentServicesActivefound servicerunningIsVirusCheckerPresent doneAbortWM_CLOSEerr in TimeoutOrExitWaitUntilTimeoutOrMustExitOrVirusCheckerPresenterr in checkerSetThreadPriority worker thread lownot all ops, go into vc modewaitingmsvcr100.dllmsvcp100.dlldo Opsworker throw!worker doneTerminate thread!
              Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@4/27@6/5
              Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: cd.exeString found in binary or memory: /cite/word/install
              Source: cd.exeString found in binary or memory: Couldn't find documents: You have selected documents from both My Library a Shared Group, or from multiple Shared Groups, which is not supported.Documents in multiple groupsPlease select the documents you wish to cite.importing %1 documents from plugin into ??geometry/newLibrarySplittergeometry/horizontalSplittergeometry/verticalSplitterSynchronizing - Step %1 of %2GroupFilterCollectionDeletedFilter1trigger()Synchronizing Zotero - Step %1 of %22duplicateSearchStarted(WorkerJob::Pointer)1highlightAndScrollTo(QList<Document::Pointer>)2allJobsFinished(QList<Document::Pointer>)Invite/invite/?dgcid=Mendeley_Desktop_Invite-colleagues/cite/word/install/importshowSignInmendeley://loginshowJoinMendeleyFormmendeley://registerDelete this document from your library?Delete %1 documents from your library?
              Source: cd.exeString found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guides
              Source: cd.exeString found in binary or memory: 1openHelpGuides()Help Guides1openMendeleyWebsite()Mendeley Website1openFAQ()FAQ1openContactSupport()Contact SupportCheck for UpdatesCheck Now1toggleCheckForPreviewUpdates()Create Backup...1openMendeleyPrivacyPolicy()Privacy Policy1openMendeleyTandCs()Terms and Conditions1showAbout()https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guideshttps://www.mendeley.com?dgcid=Mendeley_Desktop_Help-menu-websitehttps://www.elsevier.com/legal/elsevier-website-terms-and-conditionshttps://www.elsevier.com/legal/privacy-policyhttps://service.elsevier.com/app/home/supporthub/mendeley/?dgcid=Mendeley_Desktop_Help-menu-FAQhttps://service.elsevier.com/app/contact/supporthub/mendeley?dgcid=Mendeley_Desktop_Help-menu-Contact-SupportOpt-out of Experimental ReleasesOpt-in to Experimental Releases
              Source: cd.exeString found in binary or memory: recently-added
              Source: cd.exeString found in binary or memory: 1timeout()1showDocumentView()all-documentsrecently-addedmy-publicationsfavoritesfavouritesunsortedselectExistingGroupByIdactiongroupIdtabNameoverviewmembersInvalid group tab namefailed to select group1syncProgressChanged(QSet<SynchronizeJob::Action>,QSet<SynchronizeJob::Action>,QSet<SynchronizeJob::Action>)2progressChanged(QSet<SynchronizeJob::Action>,QSet<SynchronizeJob::Action>,QSet<SynchronizeJob::Action>)1updateRecentlyRead()selectExistingDocumentByIdidfileToOpenselectExistingFolderByIdfolderIdcan't fetch unknown document No document found matching the id1showStyleError(StylesFetcher::DownloadFromUrlError,QString)1selectStyle(QString)Style selected - %1Cannot install - %1. Error: %2No folder found matching the remote idMainWindowController::selectFilterByName: Can't find the filter showDocumentViewsetDocumentPropertiesPaneVisibilityselectMetadataTabselectTagsAndNotesTabselectFilterBySlugselectFilterByNameselectDocumentRowselectMainTabselectDocumentByIdselectGroupByIdH
              Source: cd.exeString found in binary or memory: :/images/onboarding/bubbles/add_copy.png
              Source: cd.exeString found in binary or memory: Try Mendeley <a href="https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-Importer"><b>Web Plugin</b></a> to import documents in just one click
              Source: cd.exeString found in binary or memory: <html><head/><body><p><a href="https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">Cite</span></a> your Mendeley references in Microsoft Word<sup>&reg;</sup> or LibreOffice<sup>&trade;</sup></p></body></html>
              Source: cd.exeString found in binary or memory: <html><head/><body><p>Discover how to <a href="https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">highlight and annotate</span></a> documents in your library</p></body></html>
              Source: cd.exeString found in binary or memory: :/images/onboarding/bubbles/next.pngAdd and CreateUserGuidePopoverWidgetHide the Guidance PopupAlt+CClick here to <b>import</b> documents and folders to your library or <b>create new</b> entries manually.or importImport other librariesTry Mendeley <a href="https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-Importer"><b>Web Plugin</b></a> to import documents in just one clickYour Mendeley Library is backed up to the Mendeley Cloud every time you sync so you can access it on Mendeley Web Library, Mendeley Mobile or other installations of Mendeley Desktop. You can manage synchronization of your file attachments here.Click the help button to find out more about Mendeley and learn how to cite, annotate and collaborate.Learn how to<html><head/><body><p><a href="https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">Cite</span></a> your Mendeley references in Microsoft Word<sup>&reg;</sup> or LibreOffice<sup>&trade;</sup></p></body></html><html><head/><body><p>Discover how to <a href="https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">highlight and annotate</span></a> documents in your library</p></body></html>QPushButton:pressed { border: 1px solid white; background: white; color: white; opacity: 255; }QPushButton:pressed { border: 1px solid #F6F6F6; background: #F6F6F6; color: white; opacity: 255; }UserGuidePopover1trackButtonClick()1page0AltContentBiTeXButtonClicked()1page0AltContentEndNoteButtonClicked()1page0AltContentRISButtonClicked()1display()2displaySignal():/images/onboarding/bubbles/next.png:/images/onboarding/bubbles/close-button.pngStorage: Local & CloudThe help button will always be hereUserGuidePopover_Page%1unverifiedH
              Source: cd.exeString found in binary or memory: :/images/onboarding/bubbles/next.pngAdd and CreateUserGuidePopoverWidgetHide the Guidance PopupAlt+CClick here to <b>import</b> documents and folders to your library or <b>create new</b> entries manually.or importImport other librariesTry Mendeley <a href="https://mendeley.com/reference-management/web-importer/#id_1?dgcid=Mendeley_Desktop_Onboarding-Add-Importer"><b>Web Plugin</b></a> to import documents in just one clickYour Mendeley Library is backed up to the Mendeley Cloud every time you sync so you can access it on Mendeley Web Library, Mendeley Mobile or other installations of Mendeley Desktop. You can manage synchronization of your file attachments here.Click the help button to find out more about Mendeley and learn how to cite, annotate and collaborate.Learn how to<html><head/><body><p><a href="https://www.mendeley.com/guides/using-citation-editor?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">Cite</span></a> your Mendeley references in Microsoft Word<sup>&reg;</sup> or LibreOffice<sup>&trade;</sup></p></body></html><html><head/><body><p>Discover how to <a href="https://www.mendeley.com/guides/desktop/04-read-highlight-annotate?dgcid=Mendeley_Desktop_Onboarding-Help-Cite"><span style=" font-weight:600; text-decoration: underline; color:#0000ff;">highlight and annotate</span></a> documents in your library</p></body></html>QPushButton:pressed { border: 1px solid white; background: white; color: white; opacity: 255; }QPushButton:pressed { border: 1px solid #F6F6F6; background: #F6F6F6; color: white; opacity: 255; }UserGuidePopover1trackButtonClick()1page0AltContentBiTeXButtonClicked()1page0AltContentEndNoteButtonClicked()1page0AltContentRISButtonClicked()1display()2displaySignal():/images/onboarding/bubbles/next.png:/images/onboarding/bubbles/close-button.pngStorage: Local & CloudThe help button will always be hereUserGuidePopover_Page%1unverifiedH
              Source: cd.exeString found in binary or memory: Please upgrade to a supported version of MS Word and re-install the Mendeley plugin through Mendeley Desktop's 'Tools' menu. Sorry for the inconvenience.
              Source: cd.exeString found in binary or memory: 1updateWordPlugin()1uninstallWordPlugin()Please upgrade to a supported version of MS Word and re-install the Mendeley plugin through Mendeley Desktop's 'Tools' menu. Sorry for the inconvenience.The Mendeley plugin requires Microsoft Word %1 or later.
              Source: cd.exeString found in binary or memory: documents-add
              Source: cd.exeString found in binary or memory: folder-add
              Source: cd.exeString found in binary or memory: 333?editMenuSeparatorviewerActions.selectionMenuviewerActions.highlightMenuviewerActions.zoomModeMenudocuments-addAddnewDocumentActionImport additional documents to the current collectionaddFilesActionaddFolderActionWatch FolderwatchFolderActionAdd Entry ManuallyaddManualEntryActionemptyEmptyemptyTrashActionDelete all documents from the Trashdocument-deleteremoveDocumentActionMove the selected documents to the TrashremoveDocumentActionTrashContextDelete the selected documents from the TrashrestoreRestoreRestore DocumentsrestoreDocumentActionRestore the selected documents to their original locationRemove from FolderremoveFromFolderActionRemove the selected documents from this folderRename Document Files...renameDocumentActionfolder-addCreate FolderNew Folder...newFolderActionCreate a new folderNew GroupNew Group...newGroupActionCreate a new groupfolder-removeRemove CollectionRemoveCollectionActionRemove the current collectioneditSettingsActionRename Collection...renameFolderActionmagnifiercatalogSearchActionMendeley Catalog Searchrelated-documentsRelatedrecommendActionRecommend related documentsSyncSynchronize LibrarysynchronizeActionSynchronize your library with Mendeley WebHelpHelp ContentshelpActionOpen the Online Help Guide for MendeleyFindfindActionFind NextfindNextActionFind PreviousfindPreviousActionselectAllActionciteCitesendCitationActionSend citation to plugincancelcancelCitationActionCancel sending citation to pluginEdit...editDocumentActionactionNotDuplicatesUpdate DetailslookupMetadataActionfullscreenFullscreenfullScreenActionzoomActionzoom-inZoom InzoomInActionzoom-outZoom OutzoomOutActionrotate-leftRotate LeftrotateAnticlockwiseActionrotate-rightRotate RightrotateClockwiseActionpanPanpanActionfit-pageFit to PagezoomModeFitPageActionfit-widthFit to WidthzoomModeFitWidthActionzoomModeCustomselectActionselect-rectangleSelect RectangleselectRectangleActionselect-textSelectSelect TextselectFlowActionColorSelect ColorselectColorActionhighlightActionhighlight-textHighlightHighlight TexthighlightTextActionhighlight-rectHighlight RectanglehighlightRectangleActionnoteNoteAdd NoteaddNoteActioncopyActionpasteAction:/icons/64x64/actions/%1/%2.png:/icons/toolbar/%1/%2.png:/icons/toolbar/%1/%2-active.png:/icons/16x16/actions/%1.png
              Source: cd.exeString found in binary or memory: The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.
              Source: cd.exeString found in binary or memory: Try '%ls --help' for more information.
              Source: cd.exeString found in binary or memory: Try '%ls --help' for more information.
              Source: cd.exeString found in binary or memory: Commands : /install - Installs Steam Client Service
              Source: cd.exeString found in binary or memory: /installscript <file> <appid> - Runs a Steam game install script
              Source: cd.exeString found in binary or memory: /installscript
              Source: cd.exeString found in binary or memory: /installscript failed on: %s: %d
              Source: cd.exeString found in binary or memory: /install
              Source: cd.exeString found in binary or memory: /install service install failed
              Source: cd.exeString found in binary or memory: /setupsteam <command line> - Runs SteamSetup.exe/hide/installscript/installscript failed on: %s: %d
              Source: cd.exeString found in binary or memory: /install/install service install failed
              Source: cd.exeString found in binary or memory: /Install
              Source: cd.exeString found in binary or memory: /Stop
              Source: cd.exeString found in binary or memory: /Stop
              Source: cd.exeString found in binary or memory: /Install/Uninstall/Start/Stop/RunAsService
              Source: cd.exeString found in binary or memory: /Install/Uninstall/Start/Stop/RunAsService
              Source: cd.exeString found in binary or memory: /Install/Uninstall/Start/Stop/RunAsService
              Source: cd.exeString found in binary or memory: ,ZJAll AccessRead/WriteExecuteQuery ValueSet ValueCreate Sub KeyEnumerate Sub KeysNotifyCreate LinkWOW64_ResWOW64_32KeyWOW64_64KeyGeneric Read/Write/ExecuteGeneric Read/WriteGeneric Read/ExecuteGeneric Write/ExecuteGeneric ReadGeneric WriteGeneric ExecuteRead Data/List DirectoryWrite Data/Add FileAppend Data/Add Subdirectory/Create Pipe InstanceRead EAWrite EAExecute/TraverseDelete ChildRead AttributesWrite AttributesRead ControlWrite DACWrite OwnerSynchronizeAccess System SecurityMaximum Allowedkernel32.dllSD\fltlib.dll%llx%lf%s%07d%02u:%02u:%02u.%07u%02u:%02u:%02u%I64d0x%I64x-1%I64u KB MB GBWindows 2000Windows XPWindows XP x64Windows Server 2003Windows VistaWindows Server 2008Windows 7Windows Server 2008 R2Windows 8Windows Server 2012Windows 8.1Windows Server 2012 R2Windows 10Windows Server 2016Windows %d.%d (build %d.%d)%08x:%08x%02X64-bit32-bit%x:%x:%x:%x:%x:%x:%x:%x%d.%d.%d.%d:%d:None
              Source: cd.exeString found in binary or memory: -help
              Source: cd.exeString found in binary or memory: sun/launcher/LauncherHelper
              Source: cd.exeString found in binary or memory: Error: Corrupt jvm.cfg file; cycle in alias list.ERRORError: Unable to resolve VM alias %sWarning: %s VM not supported; %s VM will be usedError: %s VM not supported-version-fullversion-help-?-jar-X-XX:NativeMemoryTracking=%s%d=%s%s%dTRACER_MARKER: NativeMemoryTracking: env var is %s
              Source: cd.exeString found in binary or memory: sun/launcher/LauncherHelper(Z[B)Ljava/lang/String;makePlatformStringjava/lang/String(ZILjava/lang/String;)Ljava/lang/Class;checkAndLoadMain%ld micro seconds to load main class
              Source: cd.exeString found in binary or memory: browser-startup-dialog
              Source: cd.exeString found in binary or memory: enable-service-binary-launcher
              Source: cd.exeString found in binary or memory: gpu-launcher
              Source: cd.exeString found in binary or memory: gpu-sandbox-start-early
              Source: cd.exeString found in binary or memory: gpu-startup-dialog
              Source: cd.exeString found in binary or memory: ppapi-plugin-launcher
              Source: cd.exeString found in binary or memory: ppapi-startup-dialog
              Source: cd.exeString found in binary or memory: renderer-startup-dialog
              Source: cd.exeString found in binary or memory: utility-startup-dialog
              Source: cd.exeString found in binary or memory: gpu2-startup-dialog
              Source: cd.exeString found in binary or memory: --start-crash-handler
              Source: cd.exeString found in binary or memory: QVersionNumbera+CONOUT$--start-crash-handlerRadareOrgCutterQList
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
              Source: cd.exeStatic file information: File size 3922432 > 1048576
              Source: cd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: D:\a\1\s\Win32\Release\logonsessions.pdb source: cd.exe
              Source: Binary string: c:\stream\develop\Regionhunt.pdb source: cd.exe
              Source: Binary string: D:\a\1\s\Win32\Release\RamMap.pdb source: cd.exe
              Source: Binary string: D:\B\T\BuildResults\bin\Release\AcrobatInfo.pdb))) source: cd.exe
              Source: Binary string: D:\B\T\BuildResults\bin\Release\AcrobatInfo.pdb source: cd.exe
              Source: Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb666 source: cd.exe
              Source: Binary string: C:\agent\_work\93\s\Win32\Release\autoruns.pdb source: cd.exe
              Source: Binary string: D:\a\1\s\Win32\Release\adrestore.pdb source: cd.exe
              Source: Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb source: cd.exe

              Data Obfuscation:

              bar