Windows Analysis Report
1.exe

Overview

General Information

Sample name:	1.exe
Analysis ID:	1430913
MD5:	0eac667cbce1c13116b0a40908d8695f
SHA1:	e1212710726edd46307071c651fbaa8847b6c6a1
SHA256:	02c2d998d15695f75ee2768a4fc0cbc30898ef772ae081518d1fc78b5e1decbb
Tags:	exe
Infos:

Detection

Hancitor

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Hancitor

Allocates memory in foreign processes

Creates an undocumented autostart registry key

Creates files in the recycle bin to hide itself

Disables security and backup related services

Drops executable to a common third party application directory

Infects executable files (exe, dll, sys, html)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has nameless sections

Sigma detected: Suspicious Windows Service Tampering

Writes to foreign memory regions

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion NT Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses net.exe to stop services

Yara detected Keylogger Generic

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Hancitor	Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.	No Attribution	https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/ https://blog.group-ib.com/hancitor-cuba-ransomware https://blog.group-ib.com/prometheus-tds https://blog.group-ib.com/switching-side-jobs https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader	https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://258ip.com/down/update1.exehttp://258ip.com/down/update2.exehttp://258ip.com/down/update3.exeh

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk

Multi AV Scanner detection for dropped file

Source: C:\Windows\Dll.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\rundl132.exe	ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: 1.exe

Virustotal: Detection: 87%

Perma Link

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 1.exe

Joe Sandbox ML: detected

Location Tracking

Yara detected Hancitor

Source: Yara match

File source: Process Memory Space: 1.exe PID: 4324, type: MEMORYSTR

Uses 32bit PE files

Source: 1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\7-Zip\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\7-Zip\Lang\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\locales\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\swiftshader\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\CAN\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\DEU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\FRA\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\JPN\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\UK\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Javascripts\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ar_AE\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\cs_CZ\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\da_DK\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\de_DE\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\el_GR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_AE\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_GB\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_IL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_US\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\es_ES\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fi_FI\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_FR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_MA\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\he_IL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\hu_HU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\it_IT\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ja_JP\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ko_KR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nb_NO\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nl_NL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pl_PL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pt_BR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ru_RU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sk_SK\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sl_SI\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sv_SE\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\tr_TR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\uk_UA\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_CN\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_TW\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\en_US\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\ie\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\regular\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\PMP\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\MPP\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\prc\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\private\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\prod\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\stage\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\fonts\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\fonts\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\app\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\app\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\app\dev\cef\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\app\dev\libs\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\core\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\core\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\core\dev\cef\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\core\dev\libs\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\files\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\files\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\files\dev\cef\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\files\dev\libs\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\hi_contrast\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\hi_contrast\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app-api\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app-api\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\microsoftGraph\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\require\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\require\2.1.15\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\misc\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themeless_Reader\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\ccpdf\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\images\themeless\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\collect_feedback\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\collect_feedback\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\collect_feedback\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\dc-annotations\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini	Jump to behavior

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: 1.exe, 00000000.00000003.2288712461.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
Source:	Binary string: NisSrv.pdb source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: 1.exe, 00000000.00000003.2073003378.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroCEF\AcroCEF.pdbI source: 1.exe, 00000000.00000003.2086159442.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: plugin-container.pdb source: 1.exe, 00000000.00000003.2243476720.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: tnameserv.exe.0.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatExe.pdb source: 1.exe, 00000000.00000003.2069214748.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: 1.exe, 00000000.00000003.2072329052.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\initialexe\chrome.exe.pdb source: 1.exe, 00000000.00000003.2199695779.00000000042BC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: 1.exe, 00000000.00000003.2303685427.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, GoogleCrashHandler64.exe.0.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AdobeCollabSync.pdb# source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pingsender.pdb source: 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\click2run\x-none\IntegratedOffice.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_acro.pdbT source: 1.exe, 00000000.00000003.2094191005.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: 1.exe, 00000000.00000003.2073003378.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: 1.exe, 00000000.00000003.2287533320.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, integrator.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
Source:	Binary string: private_browsing.pdb source: 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: 1.exe, 00000000.00000003.2072329052.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: 1.exe, 00000000.00000003.2299846343.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleCrashHandler_unsigned.pdb source: 1.exe, 00000000.00000003.2302768967.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, integrator.exe.0.dr
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: 1.exe, 00000000.00000003.2083949774.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: VSTOInstaller.pdb source: 1.exe, 00000000.00000003.2299284398.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, VSTOInstaller.exe.0.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\elevation_service.exe.pdb source: 1.exe, 00000000.00000003.2209901402.0000000004071000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: 1.exe, 00000000.00000003.2099466968.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jim\Desktop\metro research\ApplicationID\Release\ApplicationID.pdb source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb source: 1.exe, 00000000.00000003.2073322688.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdate_unsigned.pdb source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\setup.exe.pdb source: 1.exe, 00000000.00000003.2215777859.0000000004071000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: private_browsing.pdbp source: 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: 1.exe, 00000000.00000003.2099192699.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: 1.exe, 00000000.00000003.2083949774.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb source: 1.exe, 00000000.00000003.2296957210.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\click2run\x-none\IntegratedOffice.pdb source: 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_pwa_launcher.exe.pdb source: 1.exe, 00000000.00000003.2207469171.0000000004071000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: tnameserv.exe.0.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\AcrobatExe.pdb source: 1.exe, 00000000.00000003.2190991302.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: 1.exe, 00000000.00000003.2287533320.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: 1.exe, 00000000.00000003.2084471694.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleCrashHandler64_unsigned.pdbl source: 1.exe, 00000000.00000003.2303685427.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, GoogleCrashHandler64.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb8 source: 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleCrashHandler_unsigned.pdbp source: 1.exe, 00000000.00000003.2302768967.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdb source: 1.exe, 00000000.00000003.2083187341.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\workspace\RT_Win_8_2\Mainline\public\binary\Win\x64\Release\LogTransport2.pdbTTNGCTL source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: minidump-analyzer.pdb source: 1.exe, 00000000.00000003.2241462892.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_proxy.exe.pdb source: 1.exe, 00000000.00000003.2205445463.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: orbd.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: 1.exe, 00000000.00000003.2296957210.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_acro.pdb source: 1.exe, 00000000.00000003.2094191005.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe_x64.pdb source: 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\notification_helper.exe.pdb source: 1.exe, 00000000.00000003.2212956369.0000000004071000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: NisSrv.pdbGCTL source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb22 source: 1.exe, 00000000.00000003.2073322688.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: orbd.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
Source:	Binary string: default-browser-agent.pdb source: 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: updater.pdb source: 1.exe, 00000000.00000003.2244536391.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: 1.exe, 00000000.00000003.2099192699.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AdobeCollabSync.pdb source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: 1.exe, 00000000.00000003.2300597090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb source: 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroCEF\AcroCEF.pdb source: 1.exe, 00000000.00000003.2086159442.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: 1.exe, 00000000.00000003.2084471694.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\mozilla-source\mozilla-central\other-licenses\nsis\Contrib\HttpPostFile\Release\HttpPostFile.pdb source: 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdbQ source: 1.exe, 00000000.00000003.2083187341.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\workspace\RT_Win_8_2\Mainline\public\binary\Win\x64\Release\LogTransport2.pdb source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\Desktop\1.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: e:	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: c:	Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404A80 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_00404A80
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404A7E FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_00404A7E
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00412274 FindFirstFileA,FindNextFileA,FindFirstFileA,FindNextFileA,FindFirstFileA,Sleep,FindNextFileA,	0_2_00412274
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00412270 FindFirstFileA,FindNextFileA,FindFirstFileA,FindNextFileA,FindFirstFileA,Sleep,FindNextFileA,	0_2_00412270

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2804962 ETPRO TROJAN Win32/Viking.GN ICMP Echo Request 192.168.2.5: -> 192.168.2.1:
Source: Traffic	Snort IDS: 2008017 ET TROJAN Philis.J ICMP Sweep (Payload Hello World) 192.168.2.1: -> 192.168.2.5:

Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, integrator.exe.0.dr	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedStateInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: 1.exe, 00000000.00000002.4450973243.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4450486239.0000000001F60000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://258ip.com/down/update1.exehttp://258ip.com/down/update2.exehttp://258ip.com/down/update3.exeh
Source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243476720.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2212956369.00000000041A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: explorer.exe, 00000008.00000002.4467406438.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4467406438.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2212956369.00000000041A4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2069214748.00000000045B9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2073003378.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2073322688.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: explorer.exe, 00000008.00000002.4446753251.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2031002716.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2212956369.00000000041A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243476720.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000008.00000002.4467406438.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4467406438.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2212956369.00000000041A4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2069214748.00000000045B9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2073003378.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2073322688.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: unpack200.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243476720.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: explorer.exe, 00000008.00000002.4467406438.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4467406438.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2212956369.00000000041A4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2299846343.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2207469171.00000000041DF000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2302768967.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2205445463.0000000004174000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2300597090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2303685427.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2209901402.0000000004200000.00000004.00001000.00020000.00000000.sdmp, tnameserv.exe.0.dr, orbd.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2069214748.00000000045B9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2073003378.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2073322688.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099192699.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2288712461.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2287533320.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099466968.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2083949774.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072329052.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2083187341.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://es5.github.io/#x15.4.4.21
Source: 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com
Source: 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.comnot
Source: 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270118590.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2212956369.00000000041A4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243476720.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000008.00000000.2035366718.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4467406438.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: explorer.exe, 00000008.00000000.2034860776.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.4464152797.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.4466202794.0000000008890000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/a/1465386/4224163
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/a/15123777)
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/questions/1026069/capitalize-the-first-letter-of-string-in-javascript
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/questions/1068834/object-comparison-in-javascript
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.activestate.com
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.activestate.comHolger
Source: 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2038353253.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.baanboard.com
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.baanboard.comBrendon
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.computerhope.com/forum/index.php?topic=76293.0
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.develop.com
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.develop.comDeepak
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.lua.org
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.rftp.com
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.rftp.comJosiah
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.scintilla.org
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spaceblue.com
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spaceblue.comMathias
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.tutorialspoint.com/javascript/array_map.htm
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachine
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachinehttps://PrefSyncJob/com
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/RFList
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload
Source: explorer.exe, 00000008.00000003.3790282794.000000000C512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2037794492.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4476952895.000000000C512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3096602674.000000000C50F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000008.00000002.4459812498.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2032781472.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000008.00000000.2035366718.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4467406438.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000008.00000000.2032781472.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4459812498.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000008.00000003.3789329026.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4452064675.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2031787683.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: 1.exe, 00000000.00000003.2212956369.0000000004071000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.0000000004071000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: 1.exe, 00000000.00000003.2212956369.0000000004071000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report..
Source: 1.exe, 00000000.00000003.2069214748.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxBrowser
Source: 1.exe, 00000000.00000003.2190991302.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxupdate_urlBrowser
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io
Source: 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/annots_metadata.jsonld
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/bulk_entity_v1.json
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/entity_v1.json
Source: 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/user_comment_metadata_result_v1.json
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: 1.exe, 00000000.00000003.2215777859.0000000004071000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.00000000042BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashpad.chromium.org/
Source: 1.exe, 00000000.00000003.2215777859.0000000004071000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.00000000042BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: 1.exe, 00000000.00000003.2215777859.0000000004071000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.00000000042BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: 1.exe, 00000000.00000003.2069214748.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/820996
Source: 1.exe, 00000000.00000003.2190991302.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/820996LaunchElevatedProcessXML
Source: 1.exe, 00000000.00000003.2069214748.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/820996LaunchElevatedProcessdisable-best-effort-tasksdisable-breakpaddisable-featur
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dc-api.adobe.io/discovery
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dc-api.adobe.io/discoverySoftware
Source: 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dc-api.adobe.io/schemas/discovery_v1.json
Source: 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dc-api.adobe.io/schemas/folder_listing_v1.json
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/Reduce
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/filter
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/indexOf
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/Trim
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith
Source: explorer.exe, 00000008.00000002.4470629782.0000000009BE4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3792018335.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3096212506.0000000009B7A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3097392066.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1
Source: 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1MaybeMigrateVersion1118.0.1.0in
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/default-browser-agent/default-browser/1/Hash
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/telemetry/
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-%s.xml
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xml
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xmlhttps://javadl-esd-secure.oracle.com/upda
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lifecycleapp.operationlifecycle.shutdownlifecycle.startuptimer.starttimertimer.stoppedtimer.
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244536391.0000000002030000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243476720.0000000002011000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org0/
Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, integrator.exe.0.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.comBasicX-MS-ReduceTelemetryX-MS
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://notify-stage.adobe.io/ans
Source: 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://notify-stage.adobe.io/ans/
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://notify-stage.adobe.io/anshttps://notify.adobe.io/ansEnableDesktopNotificationlocale
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://notify.adobe.io/ans
Source: 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://notify.adobe.io/ans/
Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, integrator.exe.0.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://otelrules.azureedge.net/rules/officec2rclient.exeonenote.exesdxhelper.exe
Source: explorer.exe, 00000008.00000002.4470629782.0000000009BE4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3792018335.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3096212506.0000000009B7A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3097392066.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p13n-stage.adobe.io/psdk/v2/content?
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p13n-stage.adobe.io/psdk/v2/content?https://p13n.adobe.io/psdk/v2/content?%Y-%m-%dT%H:%M:%SZ
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p13n.adobe.io/psdk/v2/content?
Source: explorer.exe, 00000008.00000000.2037794492.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4475814466.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://qsurvey.mozilla.com/s3/FF-Desktop-Post-Uninstall?channel=release&version=118.0.1&osversion=
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reviews.adobe.io
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reviews.adobe.iourifullpayloadlinksinvitationURIreviewURIcommentingAssetURNEurekaInvitationI
Source: 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.com
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.com.adobe.ioassetUrnreviewUrnFilesFile
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.com0
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comAcroCoreSyncSharedReviewLoggingEnabledAcrobat_DesktopUserhttps://comments.ad
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comK
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comReadStatus
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comcommandNameAdd_AnnotsDelete_AnnotsUpdate_AnnotsEurekaReviewFetchReviewUpdate
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comemptyAnnotations
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comhttps://scss.adobesc.comhttps://scss.adobesc.com
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.cominvalidAnnotIdList
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comreasoncom.adobe.review.sdk
Source: 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=usage_stats_crash_reports
Source: 1.exe, 00000000.00000003.2215777859.0000000004071000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome?p=chrome_uninstall_surveymicrosoft-edge:open..
Source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingsopen
Source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingsuninstall_ping_
Source: 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.orgPublisherUninstallString
Source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: explorer.exe, 00000008.00000000.2035366718.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4467406438.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000008.00000000.2035366718.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4467406438.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon
Source: 1.exe, 00000000.00000003.2067578849.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.7-zip.org/
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/8
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243476720.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 1.exe, 00000000.00000003.2086159442.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/oauth2/authorize
Source: 1.exe, 00000000.00000003.2086159442.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/oauth2/authorizeInvalidBrowserSettingsBrowserCreationFailedInvalidRenderHand
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/118.0.1/releasenoteshttps://www.mozilla.orgNoModifyNoRepair/S=0K
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.smartsharesystems.com/
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.smartsharesystems.com/Morten

Installs a raw input device (often for capturing keystrokes)

Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_8e48fb1d-2

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: 1.exe PID: 4324, type: MEMORYSTR

System Summary

PE file has nameless sections

Source: Dll.dll.0.dr	Static PE information: section name:
Source: Dll.dll.0.dr	Static PE information: section name:
Source: Dll.dll.0.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_004059A8 GetProcAddress,NtOpenThread,FreeLibrary,		0_2_004059A8
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00405A5B GetProcAddress,NtOpenThread,FreeLibrary,		0_2_00405A5B

Creates files inside the system directory

Source: C:\Users\user\Desktop\1.exe	File created: C:\Windows\rundl132.exe			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Windows\Dll.dll			Jump to behavior

Sample file is different than original file name gathered from version info

Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefirefox.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefault-browser-agent.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroTextExtractor.exe~/ vs 1.exe
Source: 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejusched.exe\ vs 1.exe
Source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameApplicationID.dll< vs 1.exe
Source: 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdobeCollabSync.exe> vs 1.exe
Source: 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdobeCollabSync.exef# vs 1.exe
Source: 1.exe, 00000000.00000003.2212956369.0000000004071000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: unknown error %dthread::detach failed__thread_specific_ptr construction failed..\..\base\win\scoped_winrt_initializer.ccoperator()..\..\base\files\file_util_win.ccMakeAbsoluteFilePathReplaceFileWPathExistsDirectoryExistsC:\CreateAndOpenTemporaryFileInDir.tmpGetSecureSystemTempSystemTempCreateDirectoryAndGetErrorMakeLongFilePathGetCurrentDirectoryWWDDoDeleteFile*PathHasAccess..\..\base\file_version_info_win.ccCreateFileVersionInfoWinCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\unordered container erase(iterator) called with a non-dereferenceable iterator..\..\third_party\libc++\src\include\__hash_table..\..\base\metrics\persistent_histogram_storage.ccCould not write "" persistent histograms to file as the storage base directory is not properly set." persistent histograms to file as the storage directory cannot be created." persistent histograms to file as the storage directory does not exist.%04d%02d%02d%02d%02d%02dPersistent histograms fail to write to file: WaitableEvent::Signal..\..\base\synchronization\waitable_event.ccTimedWaitWaitableEvent::Wait Complete 000000000000 vs 1.exe
Source: 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcrobatInfo.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprivate_browsing.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemaintenanceservice_installer.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejavaws.exeX vs 1.exe
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs 1.exe
Source: 1.exe, 00000000.00000003.2244536391.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameupdater.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAu3Info.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameadobe_licensing_wf.exeF vs 1.exe
Source: 1.exe, 00000000.00000003.2243476720.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameplugin-container.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameadobe_licensing_wf_helper.exeT vs 1.exe
Source: 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamehelper.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcrobat.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2086159442.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroCEF.exe> vs 1.exe
Source: 1.exe, 00000000.00000003.2086159442.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroCEF.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWCChromeNativeMessagingHost.exeB vs 1.exe
Source: 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroBroker.exe~/ vs 1.exe
Source: 1.exe, 00000000.00000003.2067578849.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zFM.exe, vs 1.exe
Source: 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejaureg.exe\ vs 1.exe
Source: 1.exe, 00000000.00000003.2212956369.00000000041A4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenotification_helper.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe6 vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exeH vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exeD vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exeB vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe> vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe8 vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe: vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exeF vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exeJ vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exeP vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exeL vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe@ vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe4 vs 1.exe
Source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs 1.exe
Source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMpCmdRun.exej% vs 1.exe
Source: 1.exe, 00000000.00000003.2069214748.00000000045B9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcrobat.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2073003378.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameADelRCP.dll\ vs 1.exe
Source: 1.exe, 00000000.00000003.2296957210.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameliclua.exen' vs 1.exe
Source: 1.exe, 00000000.00000003.2073322688.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameADNotificationManager.exe vs 1.exe
Source: 1.exe, 00000000.00000002.4451156723.0000000002687000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameosppsvc.exeD vs 1.exe
Source: 1.exe, 00000000.00000003.2099192699.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename32BitMAPIBroker.exeD vs 1.exe
Source: 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Error3, 3, 16, 1Aut2ExeAutoItIt is a violation of the AutoIt EULA to attempt to reverse engineer this program.Application integrity can't be verified.Aut2Exe - v (AutoIt Script to EXE Converter)Software\AutoIt v3\AutoItSoftware\AutoIt v3\Aut2ExeSoftware\HiddenSoft\AutoIt3\Aut2ExeLastScriptDirLastExeDirLastIconDirLastIconLastCompressionUseUPX\AutoIt v3\Aut2Exetmp/in/out/icon/pass/nodecompile/compression/comp/nopack/pack/ansi/unicode/x86/x64/bin/nobeeperror/gui/console/execlevelHIGHESTAVAILABLEREQUIREADMINISTRATORNONE/ignoredirectives/inputboxres/comments/companyname/filedescription/internalname/legalcopyright/legaltrademarks/originalfilename/productname/fileversion,/productversion.a3x.exeAutoIt files (.au3).au3All files (.).au3Encoded script files (.a3x).a3xExecutable files (.exe).exea3xexeIcon files (.ico).icoicoReadyAbor&t&Convert.tokCompiling script...AutoItSC_x64.binAutoItSC.binBIN64BIN32Error: Unable to extract interpreter.Error: Unable to create temporary executable: vs 1.exe
Source: 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Aborting...%s (%d%% Complete / %d%% Compression)requireAdministratorasInvokerhighestAvailableVS_VERSION_INFOStringFileInfoVarFileInfoTranslationCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenameProductNameProductVersion."upx.exe" --best --compress-icons=0 --keep-resource=10/SCRIPT " vs 1.exe
Source: 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: #includeRun Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).#include depth exceeded. Make sure there are no recursive includesError opening the fileBad directive syntax errorUnterminated string#pragma compile#notrayicon#requireadmin#OnAutoItStartRegister#include-onceCannot parse #include#comments-start#csUnterminated group of comments#comments-end#ce)'CONSOLEAUTOITEXECUTEALLOWEDUPXX64COMPRESSIONICONOUTCOMPATIBILITYEXECLEVELINPUTBOXRESCOMMENTSCOMPANYNAMEFILEDESCRIPTIONFILEVERSIONINTERNALNAMELEGALCOPYRIGHTLEGALTRADEMARKSORIGINALFILENAMEPRODUCTNAMEPRODUCTVERSION vs 1.exe
Source: 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Aut2Exe.exe /in <infile.au3> [/out <outfile.exe>] [/icon <iconfile.ico>] [/comp 0-4] [/ignoredirectives] [/nopack] [/pack] [/ansi] [/unicode] [/x64] [/console] [/gui] [/execlevel <asinvoker \| highestavailable \| requireadministrator \| none>] [/compatibility <vista \| win7 \| win8>] [/comments <>] [/companyname <>] [/filedescription <>] [/internalname <>] [/legalcopyright <>] [/legaltrademarks <>] [/originalfilename <>] [/productname <>] [/fileversion <fixednum[,num]>] [/productversion <fixednum[,num]>](Error: Unable to create temporary files.]Error: An error was encountered while trying to read in the script file and/or include files.-Error: Unable to create the compiled archive.+Error: Invalid "FileInstall" syntax found. ;Error: Unable to execute upx.exe to compress stub file: vs 1.exe
Source: 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAut2Exe.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2066189792.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.exe, vs 1.exe
Source: 1.exe, 00000000.00000003.2288712461.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearmsvc.exeN vs 1.exe
Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNisSrv.exej% vs 1.exe
Source: 1.exe, 00000000.00000003.2299846343.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejava.exeN vs 1.exe
Source: 1.exe, 00000000.00000003.2099466968.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename64BitMAPIBroker.exeD vs 1.exe
Source: 1.exe, 00000000.00000003.2207469171.00000000041DF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome_pwa_launcher.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSciTE.EXE, vs 1.exe
Source: 1.exe, 00000000.00000003.2190991302.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Lfile_version_info_win.ccCreateFileVersionInfoWinCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\SetThreadDescriptionUnknown priority.::GetThreadPriority returned G vs 1.exe
Source: 1.exe, 00000000.00000003.2083949774.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCRWindowsClientService.exeZ vs 1.exe
Source: 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecrashreporter.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2302768967.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameminidump-analyzer.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2068340277.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zg.exe, vs 1.exe
Source: 1.exe, 00000000.00000003.2072329052.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroSpeedLaunch.exeD vs 1.exe
Source: 1.exe, 00000000.00000003.2068797001.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUninstall.exe, vs 1.exe
Source: 1.exe, 00000000.00000003.2083187341.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCRLogTransport .exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2205445463.0000000004174000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome_proxy.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3Help.exe8 vs 1.exe
Source: 1.exe, 00000000.00000003.2300597090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejavaw.exeN vs 1.exe
Source: 1.exe, 00000000.00000003.2074834480.0000000004AA1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdobeCollabSync.exe> vs 1.exe
Source: 1.exe, 00000000.00000003.2074834480.0000000004AA1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdobeCollabSync.exef# vs 1.exe
Source: 1.exe, 00000000.00000003.2299284398.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVSTOInstaller.exe^ vs 1.exe
Source: 1.exe, 00000000.00000003.2225154341.00000000044F3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIntegratedOffice.exeB vs 1.exe
Source: 1.exe, 00000000.00000003.2084471694.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEula.exe* vs 1.exe
Source: 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepingsender.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejucheck.exe\ vs 1.exe
Source: 1.exe, 00000000.00000002.4450973243.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename" vs 1.exe
Source: 1.exe, 00000000.00000002.4451156723.00000000025B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIntegrator.exeB vs 1.exe
Source: 1.exe, 00000000.00000003.2303685427.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemaintenanceservice.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2209901402.0000000004200000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameelevation_service.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2215777859.0000000004071000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ..\..\base\files\file_util_win.ccMakeAbsoluteFilePathDeleteFileAfterRebootReplaceFileWPathExistsDirectoryExistsC:\CreateAndOpenTemporaryFileInDir.tmpCreateTemporaryDirInDirGetSecureSystemTempSystemTempCreateDirectoryAndGetErrorMakeLongFilePathGetFileInfoOpenFileWriteFileGetCurrentDirectoryWSetCurrentDirectoryWWDMoveUnsafeCopyAndDeleteDirectoryDoDeleteFile*DoCopyDirectoryPathHasAccessDoCopyFile..\..\base\files\file_enumerator_win.ccNext..\..\base\file_version_info_win.ccCreateFileVersionInfoWinCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\..\..\base\metrics\persistent_histogram_storage.ccCould not write "" persistent histograms to file as the storage base directory is not properly set." persistent histograms to file as the storage directory cannot be created." persistent histograms to file as the storage directory does not exist.%04d%02d%02d%02d%02d%02dPersistent histograms fail to write to file: scoped_dir..\..\base\files\file_util.ccReadStreamToSpanWithMaxSizeinvalid vs 1.exe
Source: 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAu3Info.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: F@ Error3, 3, 16, 1Aut2ExeAutoItIt is a violation of the AutoIt EULA to attempt to reverse engineer this program.Application integrity can't be verified.Aut2Exe - v (AutoIt Script to EXE Converter)Software\AutoIt v3\AutoItSoftware\AutoIt v3\Aut2ExeSoftware\HiddenSoft\AutoIt3\Aut2ExeLastScriptDirLastExeDirLastIconDirLastIconLastCompressionUseUPX\AutoIt v3\Aut2Exetmp/in/out/icon/pass/nodecompile/compression/comp/nopack/pack/ansi/unicode/x86/x64/bin/nobeeperror/gui/console/execlevelHIGHESTAVAILABLEREQUIREADMINISTRATORNONE/ignoredirectives/inputboxres/comments/companyname/filedescription/internalname/legalcopyright/legaltrademarks/originalfilename/productname/fileversion,/productversion.a3x.exeAutoIt files (.au3).au3All files (.).au3Encoded script files (.a3x).a3xExecutable files (.exe).exea3xexeIcon files (.ico).icoicoReadyAbor&t&Convert.tokCompiling script...AutoItSC_x64.binAutoItSC.binBIN64BIN32Error: Unable to extract interpreter.Error: Unable to create temporary executable: vs 1.exe
Source: 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Aborting...%s (%d%% Complete / %d%% Compression)requireAdministratorasInvokerhighestAvailableVS_VERSION_INFOStringFileInfoVarFileInfoTranslationCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenameProductNameProductVersion."upx.exe" --best --compress-icons=0 --keep-resource=10/SCRIPT " vs 1.exe
Source: 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: #includeRun Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).#include depth exceeded. Make sure there are no recursive includesError opening the fileBad directive syntax errorUnterminated string#pragma compile#notrayicon#requireadmin#OnAutoItStartRegister#include-onceCannot parse #include#comments-start#csUnterminated group of comments#comments-end#ce)'CONSOLEAUTOITEXECUTEALLOWEDUPXX64COMPRESSIONICONOUTCOMPATIBILITYEXECLEVELINPUTBOXRESCOMMENTSCOMPANYNAMEFILEDESCRIPTIONFILEVERSIONINTERNALNAMELEGALCOPYRIGHTLEGALTRADEMARKSORIGINALFILENAMEPRODUCTNAMEPRODUCTVERSION vs 1.exe
Source: 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Aut2Exe.exe /in <infile.au3> [/out <outfile.exe>] [/icon <iconfile.ico>] [/comp 0-4] [/ignoredirectives] [/nopack] [/pack] [/ansi] [/unicode] [/x64] [/console] [/gui] [/execlevel <asinvoker \| highestavailable \| requireadministrator \| none>] [/compatibility <vista \| win7 \| win8>] [/comments <>] [/companyname <>] [/filedescription <>] [/internalname <>] [/legalcopyright <>] [/legaltrademarks <>] [/originalfilename <>] [/productname <>] [/fileversion <fixednum[,num]>] [/productversion <fixednum[,num]>](Error: Unable to create temporary files.]Error: An error was encountered while trying to read in the script file and/or include files.-Error: Unable to create the compiled archive.+Error: Invalid "FileInstall" syntax found. ;Error: Unable to execute upx.exe to compress stub file: vs 1.exe
Source: 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAut2Exe.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAu3Check.exeN vs 1.exe
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLogTransport2.exe0 vs 1.exe
Source: 1.exe	Binary or memory string: OriginalFilename" vs 1.exe

Uses 32bit PE files

Source: 1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@13/1028@0/100

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_004056C4 CreateToolhelp32Snapshot,

0_2_004056C4

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00404372 FindResourceA,

0_2_00404372

Source: C:\Users\user\Desktop\1.exe

File created: C:\Program Files\_desktop.ini

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000014.db

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6584:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03

Source: Yara match

File source: 00000000.00000002.4447030091.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\1.exe

File read: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\_desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT content_item_relations.src_content_item_id, branches.download_state, content_items.creation_id,branches.content_item_id,branches.record_created, branches.modified, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content, (select 1 from branches where branch_name = 'conflict' AND content_item_id = :id) as is_conflicted,(SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND branches.content_item_id = :id AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base' AND branches.content_item_id = :id))))) as is_sync_pending, (SELECT resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN resource_content ON (resource_revisions.hash = resource_content.resource_content_id) WHERE( branches.content_item_id = :id AND branches.branch_name = 'error' AND branches.app_id = :appId)) as error_payload FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources ON (branches.content_item_revision
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE branches SET content_item_revision_id = :contentItemRevisionId, modified = :modified, download_state = :downloadState WHERE( content_item_id = :contentItemId AND branch_name = :branchName AND app_id = :appId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS resource_content ( resource_content_id TEXT PRIMARY KEY NOT NULL, resource_content TEXT NOT NULL);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO content_items( creation_id, asset_id, type, content_item_type, created, removed_from_server, pending_local_delete) VALUES( :creationId, :assetId, :type, :contentItemType, :created, :removedFromServer, :pendingLocalDelete);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests WHERE( request_type = :requestType);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT OR REPLACE INTO branches( content_item_id, content_item_revision_id, branch_name, app_id, is_transient, record_created, modified, download_state) VALUES( :contentItemId, :contentItemRevisionId, :branchName, :appId, :isTransient, :recordCreated, :modified, :downloadState);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE content_items SET pending_local_delete = :pendingLocalDelete WHERE( creation_id = :creationId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT OR REPLACE INTO content_item_relations( src_content_item_id, target_content_item_id, rel) VALUES( :srcContentItemId, :targetContentItemId, :rel);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO resource_revisions( revision_id, rel_to_content_item, resource_type, media_type, locator, committed, hashType, hash, storageSize, width, height) VALUES( :revisionId, :relToContentItem, :resourceType, :mediaType, :locator_var, :committed_var, :hashType_var, :hash_var, :storageSize_var, :width_var, :height_var);
Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp, integrator.exe.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS branches ( content_item_id TEXT NOT NULL, content_item_revision_id TEXT NOT NULL, branch_name TEXT NOT NULL, app_id TEXT NOT NULL, is_transient INTEGER DEFAULT 0 NOT NULL, record_created TIMESTAMP NOT NULL, modified TIMESTAMP NOT NULL, download_state TEXT DEFAULT NULL, PRIMARY KEY (content_item_id, branch_name, app_id));
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_resources ( content_item_revision_id TEXT NOT NULL, resource_revision_id TEXT NOT NULL, resource_id TEXT DEFAULT NULL, resource_cloud_etag TEXT DEFAULT NULL, resource_cloud_version_id TEXT DEFAULT NULL, resource_local_etag TEXT DEFAULT NULL, resource_local_version_id TEXT DEFAULT NULL, PRIMARY KEY (content_item_revision_id, resource_revision_id));
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO device_mappings( device_mapping_id, content_item_id, collection_id, content_item_type, include_rel_types, include_depth, branch, TTL, Priority, app_info) VALUES( :deviceMappingId, :contentItemId, :collectionId, :contentItemType, :includeRelTypes, :includeDepth, :branch, :TTL, :priority, :appInfo);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO content_item_resources( content_item_revision_id, resource_revision_id) VALUES( :contentItemRevisionId, :resourceRevisionId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO branches ( content_item_id, content_item_revision_id, branch_name, app_id, is_transient, record_created, modified, download_state) VALUES( :contentItemId, :contentItemRevisionId, :branchName, :appId, :isTransient, :recordCreated, :modified, :downloadState);
Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp, integrator.exe.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE content_items SET removed_from_server = :removedFromServer WHERE( creation_id = :creationId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE branches SET modified = :modified WHERE( content_item_id = :contentItemId AND branch_name = :branchName AND app_id = :appId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT branches.content_item_id FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = :branch1 AND branches.content_item_id = :contentItemId AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = :branch2 AND branches.content_item_id = :contentItemId))));
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Select Count(SessionId) from DataTable;
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS resource_revisions ( revision_id TEXT PRIMARY KEY NOT NULL, rel_to_content_item TEXT NOT NULL, resource_type TEXT NOT NULL, media_type TEXT NOT NULL, locator TEXT NOT NULL, committed INTEGER NOT NULL, hashType TEXT DEFAULT NULL, hash TEXT DEFAULT NULL, storageSize INTEGER DEFAULT 0, width INTEGER DEFAULT 0, height INTEGER DEFAULT 0);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: select count(*) from SQLITE_MASTER where type = "table";
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE content_items SET pending_local_delete = :pendingLocalDelete WHERE( creation_id = :creationId);
Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp, integrator.exe.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO content_item_revisions( content_item_revision_id, cloud_etag, updated, local_etag, request_id, content_name) VALUES( :contentIemRevisionId, :cloudEtag, :updated, :localEtag, :requestId, :contentName);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_revisions( content_item_revision_id TEXT PRIMARY KEY NOT NULL, cloud_etag TEXT DEFAULT NULL, cloud_version_id TEXT DEFAULT NULL, updated TIMESTAMP DEFAULT NULL, acl TEXT DEFAULT NULL, local_etag TEXT DEFAULT NULL, local_version_id TEXT DEFAULT NULL, request_id TEXT DEFAULT NULL, content_name TEXT DEFAULT NULL);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_items( creation_id TEXT PRIMARY KEY NOT NULL, asset_id TEXT DEFAULT NULL, type TEXT NOT NULL, content_item_type TEXT NOT NULL, created TEXT NOT NULL, removed_from_server INTEGER DEFAULT 0 NOT NULL, pending_local_delete INTEGER DEFAULT 0 NOT NULL, update_seq_num INTEGER DEFAULT 0 NOT NULL);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS sync_tokens ( content_item_id TEXT PRIMARY KEY NOT NULL, token TEXT DEFAULT NULL, last_sync_time TIMESTAMP DEFAULT NULL, device_mapping_id TEXT DEFAULT NULL);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE pending_requests SET request_status = :requestStatus, message = :message, status_code = :statusCode WHERE( pending_request_id = :pendingRequestId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM device_mappings WHERE( content_item_id = :contentItemId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT OR REPLACE INTO branches ( content_item_id, content_item_revision_id, app_id, is_transient, record_created, modified, download_state, branch_name) SELECT content_item_id, content_item_revision_id, app_id, is_transient, record_created, modified, download_state, :targetBranchname from branches WHERE branch_name = :srcBranchname AND content_item_id = :contentItemId AND app_id = :appId;
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT branches.content_item_id FROM content_item_relations JOIN branches ON( branches.content_item_id = content_item_relations.target_content_item_id) JOIN content_items ON( content_items.creation_id = content_item_relations.target_content_item_id) WHERE( content_item_relations.src_content_item_id = :srcContentItemId AND content_item_relations.rel = :relType AND branches.app_id = :appId AND branches.branch_name = :branch1 AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id NOT IN ( SELECT branches.content_item_revision_id FROM content_item_relations JOIN branches ON( branches.content_item_id = content_item_relations.target_content_item_id) WHERE( content_item_relations.src_content_item_id = :srcContentItemId AND content_item_relations.rel = :relType AND branches.app_id = :appId AND branches.branch_name = :branch2))));
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_relations ( src_content_item_id TEXT NOT NULL, target_content_item_id TEXT NOT NULL, rel TEXT NOT NULL, PRIMARY KEY (src_content_item_id, target_content_item_id, rel));
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO pending_requests( pending_request_id, request_type, content_item_id, context) VALUES( :pendingRequestId, :requestType, :contentItemId, :context);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT *, (SELECT resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN resource_content ON (resource_revisions.hash = resource_content.resource_content_id) WHERE( branches.content_item_id = creation_id_local AND branches.branch_name = 'error' AND branches.app_id = :appId)) as error_payload, (SELECT 1 from branches where branch_name = 'conflict' AND content_item_id = creation_id_local) as is_conflicted, ( SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id and branches.content_item_id = creation_id_local) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base'))))) as is_sync_pending FROM ( SELECT content_item_relations.src_content_item_id, branches.download_state, branches.record_created, branches.modified, content_items.creation_id , content_items.creation_id as creation_id_local, branches.content_item_id, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE content_item_revisions SET local_etag = :localEtag, request_id = :requestId, updated = :updated WHERE( content_item_revision_id IN ( SELECT content_item_revision_id FROM branches WHERE( content_item_id = :contentItemId AND branch_name = :branchName ANDapp_id = :appId)));
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests WHERE( request_type = :requestType and content_item_id = :contentItemId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE device_mappings SET unPinned = 1 WHERE(content_item_id = :contentItemId);
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS DataTable(SessionId STRING PRIMARY KEY,Product STRING,UpdateTimestamp INTEGER,Status INTEGER, SchemaVersion TEXT);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS pending_requests ( pending_request_id TEXT PRIMARY KEY NOT NULL, request_type TEXT NOT NULL, content_item_id TEXT DEFAULT NULL, context TEXT DEFAULT NULL, pending_request_created TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ', 'now', 'localtime')) NOT NULL, request_status TEXT DEFAULT "CREATED" NOT NULL, message TEXT DEFAULT NULL, status_code INTEGER DEFAULT -1 NOT NULL, device_mapping_id TEXT DEFAULT NULL, UNIQUE (content_item_id, request_type, request_status));
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT content_item_revisions.cloud_etag FROM content_items JOIN branches ON (branches.content_item_id = content_items.creation_id)JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id)WHERE( content_items.asset_id = :assetId AND branches.branch_name = :branchName AND branches.app_id = :appId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT content_items.creation_id FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) WHERE (branches.branch_name = 'current' AND branches.app_id = :appid) AND ((content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR (content_item_revisions.content_item_revision_id) NOT IN ( SELECT content_item_revisions.content_item_revision_id FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) WHERE (branches.branch_name = 'base' AND branches.app_id = :appid))) AND content_items.creation_id NOT IN ( SELECT content_item_id FROM branches WHERE( branch_name = 'error'));
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_id FROM content_items WHERE asset_id = :assetId;
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM device_mappings WHERE( unPinned = 1);
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT content_item_relations.src_content_item_id, branches.download_state, content_items.creation_id,branches.content_item_id,branches.record_created, branches.modified, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content, (select 1 from branches where branch_name = 'conflict' AND content_item_id = :id) as is_conflicted, (SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND branches.content_item_id = :id AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base' AND branches.content_item_id = :id))))) as is_sync_pending, (SELECT content_item_revisions.cloud_etag FROM content_items JOIN branches ON (branches.content_item_id = content_items.creation_id)JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id)WHERE( content_items.asset_id = :collectionId AND branches.branch_name = :branchName AND branches.app_id = :appId)) as collection_cloud_etag FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN content_item_rel
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM device_mappings WHERE( content_item_type = :resourceType);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_updates ( seq_num INTEGER PRIMARY KEY NOT NULL, app_id TEXT NOT NULL, content_item_local_id TEXT NOT NULL, time TIMESTAMP NOT NULL, operation TEXT NOT NULL);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE content_items SET asset_id = :assetId WHERE( creation_id = :creationId);
Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp, integrator.exe.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS device_mappings ( device_mapping_id TEXT PRIMARY KEY NOT NULL, content_item_id TEXT NOT NULL, content_item_type TEXT NOT NULL, include_rel_types TEXT DEFAULT NULL, include_depth INTEGER DEFAULT 0 NOT NULL, branch TEXT DEFAULT NULL, device_mapping_created TIMESTAMP DEFAULT (strftime('%s', 'now')) NOT NULL, collection_id TEXT DEFAULT NULL, TTL INTEGER DEFAULT 0 NOT NULL, Priority INTEGER DEFAULT 0 NOT NULL, app_info TEXT NOT NULL, unPinned INTEGER DEFAULT 0 NOT NULL, UNIQUE (content_item_id, branch));
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests;
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO resource_content( resource_content_id, resource_content) VALUES ( :resourceContentId, :resourceContent);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT *FROM pending_requests WHERE(content_item_id = :contentItemId);

Source: 1.exe

Virustotal: Detection: 87%

Source: C:\Users\user\Desktop\1.exe

File read: C:\Users\user\Desktop\1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_desktop.ini
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_desktop.ini	Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: schedcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: icmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

File written: C:\_desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\7-Zip\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\7-Zip\Lang\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\locales\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\swiftshader\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\CAN\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\DEU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\FRA\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\JPN\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\UK\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Javascripts\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ar_AE\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\cs_CZ\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\da_DK\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\de_DE\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\el_GR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_AE\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_GB\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_IL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_US\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\es_ES\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fi_FI\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_FR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_MA\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\he_IL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\hu_HU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\it_IT\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ja_JP\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ko_KR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nb_NO\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nl_NL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pl_PL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pt_BR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ru_RU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sk_SK\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sl_SI\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sv_SE\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\tr_TR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\uk_UA\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_CN\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_TW\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\en_US\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\ie\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\regular\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\PMP\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\MPP\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\prc\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\private\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\prod\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\stage\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\fonts\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\fonts\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\app\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\app\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\app\dev\cef\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\app\dev\libs\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\core\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\core\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\core\dev\cef\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\core\dev\libs\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\files\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\files\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\files\dev\cef\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\files\dev\libs\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\hi_contrast\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\hi_contrast\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app-api\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app-api\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\microsoftGraph\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\require\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\require\2.1.15\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\misc\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themeless_Reader\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\ccpdf\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\images\themeless\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\collect_feedback\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\collect_feedback\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\collect_feedback\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\dc-annotations\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini	Jump to behavior

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: 1.exe, 00000000.00000003.2288712461.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
Source:	Binary string: NisSrv.pdb source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: 1.exe, 00000000.00000003.2073003378.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroCEF\AcroCEF.pdbI source: 1.exe, 00000000.00000003.2086159442.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: plugin-container.pdb source: 1.exe, 00000000.00000003.2243476720.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: tnameserv.exe.0.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatExe.pdb source: 1.exe, 00000000.00000003.2069214748.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: 1.exe, 00000000.00000003.2072329052.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\initialexe\chrome.exe.pdb source: 1.exe, 00000000.00000003.2199695779.00000000042BC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: 1.exe, 00000000.00000003.2303685427.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, GoogleCrashHandler64.exe.0.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AdobeCollabSync.pdb# source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pingsender.pdb source: 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\click2run\x-none\IntegratedOffice.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_acro.pdbT source: 1.exe, 00000000.00000003.2094191005.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: 1.exe, 00000000.00000003.2073003378.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: 1.exe, 00000000.00000003.2287533320.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, integrator.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
Source:	Binary string: private_browsing.pdb source: 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: 1.exe, 00000000.00000003.2072329052.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: 1.exe, 00000000.00000003.2299846343.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleCrashHandler_unsigned.pdb source: 1.exe, 00000000.00000003.2302768967.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, integrator.exe.0.dr
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: 1.exe, 00000000.00000003.2083949774.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: VSTOInstaller.pdb source: 1.exe, 00000000.00000003.2299284398.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, VSTOInstaller.exe.0.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\elevation_service.exe.pdb source: 1.exe, 00000000.00000003.2209901402.0000000004071000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: 1.exe, 00000000.00000003.2099466968.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jim\Desktop\metro research\ApplicationID\Release\ApplicationID.pdb source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb source: 1.exe, 00000000.00000003.2073322688.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdate_unsigned.pdb source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\setup.exe.pdb source: 1.exe, 00000000.00000003.2215777859.0000000004071000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: private_browsing.pdbp source: 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: 1.exe, 00000000.00000003.2099192699.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: 1.exe, 00000000.00000003.2083949774.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb source: 1.exe, 00000000.00000003.2296957210.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\click2run\x-none\IntegratedOffice.pdb source: 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_pwa_launcher.exe.pdb source: 1.exe, 00000000.00000003.2207469171.0000000004071000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: tnameserv.exe.0.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\AcrobatExe.pdb source: 1.exe, 00000000.00000003.2190991302.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: 1.exe, 00000000.00000003.2287533320.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: 1.exe, 00000000.00000003.2084471694.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleCrashHandler64_unsigned.pdbl source: 1.exe, 00000000.00000003.2303685427.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, GoogleCrashHandler64.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb8 source: 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleCrashHandler_unsigned.pdbp source: 1.exe, 00000000.00000003.2302768967.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdb source: 1.exe, 00000000.00000003.2083187341.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\workspace\RT_Win_8_2\Mainline\public\binary\Win\x64\Release\LogTransport2.pdbTTNGCTL source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: minidump-analyzer.pdb source: 1.exe, 00000000.00000003.2241462892.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_proxy.exe.pdb source: 1.exe, 00000000.00000003.2205445463.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: orbd.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: 1.exe, 00000000.00000003.2296957210.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_acro.pdb source: 1.exe, 00000000.00000003.2094191005.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe_x64.pdb source: 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\notification_helper.exe.pdb source: 1.exe, 00000000.00000003.2212956369.0000000004071000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: NisSrv.pdbGCTL source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb22 source: 1.exe, 00000000.00000003.2073322688.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: orbd.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
Source:	Binary string: default-browser-agent.pdb source: 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: updater.pdb source: 1.exe, 00000000.00000003.2244536391.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: 1.exe, 00000000.00000003.2099192699.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AdobeCollabSync.pdb source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: 1.exe, 00000000.00000003.2300597090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb source: 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroCEF\AcroCEF.pdb source: 1.exe, 00000000.00000003.2086159442.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: 1.exe, 00000000.00000003.2084471694.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\mozilla-source\mozilla-central\other-licenses\nsis\Contrib\HttpPostFile\Release\HttpPostFile.pdb source: 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdbQ source: 1.exe, 00000000.00000003.2083187341.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\workspace\RT_Win_8_2\Mainline\public\binary\Win\x64\Release\LogTransport2.pdb source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00406A18 LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_00406A18

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .rsrc

PE file contains sections with non-standard names

Source: 1.exe	Static PE information: section name: .Upack
Source: rundl132.exe.0.dr	Static PE information: section name: .Upack
Source: AppSharingHookController64.exe.0.dr	Static PE information: section name: .Upack
Source: Dll.dll.0.dr	Static PE information: section name: .petite
Source: Dll.dll.0.dr	Static PE information: section name:
Source: Dll.dll.0.dr	Static PE information: section name:
Source: Dll.dll.0.dr	Static PE information: section name:
Source: SQLDumper.exe.0.dr	Static PE information: section name: .Upack
Source: Uninstall.exe.0.dr	Static PE information: section name: .Upack
Source: maintenanceservice.exe.0.dr	Static PE information: section name: .Upack
Source: jusched.exe.0.dr	Static PE information: section name: .Upack
Source: jucheck.exe.0.dr	Static PE information: section name: .Upack
Source: jaureg.exe.0.dr	Static PE information: section name: .Upack
Source: armsvc.exe.0.dr	Static PE information: section name: .Upack
Source: AdobeARMHelper.exe.0.dr	Static PE information: section name: .Upack
Source: VSTOInstaller.exe.0.dr	Static PE information: section name: .Upack
Source: javaws.exe.0.dr	Static PE information: section name: .Upack
Source: javaw.exe.0.dr	Static PE information: section name: .Upack
Source: java.exe.0.dr	Static PE information: section name: .Upack
Source: GoogleCrashHandler64.exe.0.dr	Static PE information: section name: .Upack
Source: GoogleCrashHandler.exe.0.dr	Static PE information: section name: .Upack
Source: GoogleUpdateOnDemand.exe.0.dr	Static PE information: section name: .Upack
Source: GoogleUpdateCore.exe.0.dr	Static PE information: section name: .Upack
Source: GoogleUpdateComRegisterShell64.exe.0.dr	Static PE information: section name: .Upack
Source: GoogleUpdateBroker.exe.0.dr	Static PE information: section name: .Upack
Source: GoogleUpdate.exe.0.dr	Static PE information: section name: .Upack
Source: java.exe0.0.dr	Static PE information: section name: .Upack
Source: java-rmi.exe.0.dr	Static PE information: section name: .Upack
Source: jabswitch.exe.0.dr	Static PE information: section name: .Upack
Source: javaws.exe0.0.dr	Static PE information: section name: .Upack
Source: javaw.exe0.0.dr	Static PE information: section name: .Upack
Source: javacpl.exe.0.dr	Static PE information: section name: .Upack
Source: rmiregistry.exe.0.dr	Static PE information: section name: .Upack
Source: pack200.exe.0.dr	Static PE information: section name: .Upack
Source: orbd.exe.0.dr	Static PE information: section name: .Upack
Source: ktab.exe.0.dr	Static PE information: section name: .Upack
Source: klist.exe.0.dr	Static PE information: section name: .Upack
Source: kinit.exe.0.dr	Static PE information: section name: .Upack
Source: keytool.exe.0.dr	Static PE information: section name: .Upack
Source: jp2launcher.exe.0.dr	Static PE information: section name: .Upack
Source: jjs.exe.0.dr	Static PE information: section name: .Upack
Source: rmid.exe.0.dr	Static PE information: section name: .Upack
Source: policytool.exe.0.dr	Static PE information: section name: .Upack
Source: unpack200.exe.0.dr	Static PE information: section name: .Upack
Source: tnameserv.exe.0.dr	Static PE information: section name: .Upack
Source: ssvagent.exe.0.dr	Static PE information: section name: .Upack
Source: servertool.exe.0.dr	Static PE information: section name: .Upack
Source: integrator.exe.0.dr	Static PE information: section name: .Upack
Source: MSOHTMED.EXE.0.dr	Static PE information: section name: .Upack
Source: LICLUA.EXE.0.dr	Static PE information: section name: .Upack

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0040507C push 00405188h; ret	0_2_00405180
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0040502C push 00405058h; ret	0_2_00405050
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0040403C push 0040408Dh; ret	0_2_00404085
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_004078F4 push 00407920h; ret	0_2_00407918
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0040792C push 00407958h; ret	0_2_00407950
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0040426C push 00404298h; ret	0_2_00404290
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00407AD4 push 00407B20h; ret	0_2_00407B18
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_004042A4 push 004042D0h; ret	0_2_004042C8
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404B50 push 00404B7Ch; ret	0_2_00404B74
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00407BEC push 00407C18h; ret	0_2_00407C10
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00406BA4 push 00406BD0h; ret	0_2_00406BC8
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404BAE push 00404BDCh; ret	0_2_00404BD4
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404BB0 push 00404BDCh; ret	0_2_00404BD4
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00405C44 push 00405C70h; ret	0_2_00405C68
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_004054E4 push 00405510h; ret	0_2_00405508
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_004054AC push 004054D8h; ret	0_2_004054D0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0040552A push 00405558h; ret	0_2_00405550
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0040552C push 00405558h; ret	0_2_00405550
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404E75 push 00404EC8h; ret	0_2_00404EC0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404E7C push 00404EC8h; ret	0_2_00404EC0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404608 push 00404634h; ret	0_2_0040462C
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404ECA push 00404F2Fh; ret	0_2_00404F27
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404ECC push 00404F2Fh; ret	0_2_00404F27
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00406E98 push 00406EC4h; ret	0_2_00406EBC
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404F29 push 00404F2Fh; ret	0_2_00404F27
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404FF4 push 00405020h; ret	0_2_00405018
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_004067A4 push 004067E6h; ret	0_2_004067DE
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_004057AA push 004057D8h; ret	0_2_004057D0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_004057AC push 004057D8h; ret	0_2_004057D0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00412CE0 push 00412D39h; ret	0_2_00412D31
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00412CDE push 00412D39h; ret	0_2_00412D31

Source: 1.exe	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: rundl132.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: AppSharingHookController64.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: Dll.dll.0.dr	Static PE information: section name: .petite entropy: 7.8822889544063
Source: SQLDumper.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: Uninstall.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.857432355462329
Source: maintenanceservice.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: jusched.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.890784772459498
Source: jucheck.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.86796165586835
Source: jaureg.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.878304669434353
Source: armsvc.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.880507599121225
Source: AdobeARMHelper.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.9570525738931766
Source: VSTOInstaller.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: javaws.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.86796165586835
Source: javaw.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.86796165586835
Source: java.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.86796165586835
Source: GoogleCrashHandler64.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: GoogleCrashHandler.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.892629602364019
Source: GoogleUpdateOnDemand.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.892629602364019
Source: GoogleUpdateCore.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.892629602364019
Source: GoogleUpdateComRegisterShell64.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: GoogleUpdateBroker.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.892629602364019
Source: GoogleUpdate.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.892629602364019
Source: java.exe0.0.dr	Static PE information: section name: .rsrc entropy: 7.86796165586835
Source: java-rmi.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: jabswitch.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: javaws.exe0.0.dr	Static PE information: section name: .rsrc entropy: 7.86796165586835
Source: javaw.exe0.0.dr	Static PE information: section name: .rsrc entropy: 7.86796165586835
Source: javacpl.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.86796165586835
Source: rmiregistry.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: pack200.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: orbd.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: ktab.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: klist.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: kinit.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: keytool.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: jp2launcher.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: jjs.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: rmid.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: policytool.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: unpack200.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: tnameserv.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: ssvagent.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: servertool.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: integrator.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: MSOHTMED.EXE.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: LICLUA.EXE.0.dr	Static PE information: section name: .rsrc entropy: 7.959227025520099

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Windows\rundl132.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Windows\Dll.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\1.exe

File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\1.exe	File created: C:\Windows\rundl132.exe			Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Windows\Dll.dll			Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\1.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows load

Jump to behavior

Uses net.exe to stop services

Source: C:\Users\user\Desktop\1.exe

Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Users\user\Desktop\1.exe

File created: C:\$Recycle.Bin\_desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\1.exe	Window / User API: threadDelayed 1961	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Window / User API: threadDelayed 7490	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 879	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 873	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Windows\Dll.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\1.exe

Evasive API call chain: GetLocalTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\1.exe TID: 1868	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1.exe TID: 1868	Thread sleep time: -196100s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1.exe TID: 1868	Thread sleep time: -749000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\1.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404A80 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_00404A80
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404A7E FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_00404A7E
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00412274 FindFirstFileA,FindNextFileA,FindFirstFileA,FindNextFileA,FindFirstFileA,Sleep,FindNextFileA,	0_2_00412274
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00412270 FindFirstFileA,FindNextFileA,FindFirstFileA,FindNextFileA,FindFirstFileA,Sleep,FindNextFileA,	0_2_00412270

Source: C:\Users\user\Desktop\1.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: explorer.exe, 00000008.00000000.2032781472.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000008.00000003.3097392066.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000008.00000000.2035366718.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4467406438.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000008.00000003.3097392066.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000008.00000000.2035366718.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000008.00000003.3097392066.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.2035366718.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000008.00000000.2031787683.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: 1.exe, 00000000.00000003.2190991302.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \Adobe\AdobeGCClient"\Adobe\AdobeGCClient\AGCInvokerUtility.exe\AGCInvokerUtility.exe --appID= --appVersion= --appProfileScope= --appPath=x-request-idROOT\CIMV2SELECT * FROM Win32_ComputerSystemWQLHypervisorPresentManufacturerModelVMwareVirtualBoxXenQEMUGoogleVirtualOpenStackSELECT * FROM Win32_ComputerSystemProductUUIDEC2lFnIsWow64Process2 not availablex64ARM64UnknownPROCESSOR_LEVELPROCESSOR_REVISION\\.\PhysicalDrive0%ProgramW6432%\Common FilesAdobe
Source: explorer.exe, 00000008.00000003.3097392066.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000008.00000000.2031787683.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000008.00000000.2031002716.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000008.00000000.2032781472.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000008.00000002.4467406438.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 1.exe, 00000000.00000002.4448360463.0000000000480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: explorer.exe, 00000008.00000000.2031787683.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000008.00000000.2031787683.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000008.00000003.3097392066.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: 1.exe, 00000000.00000002.4448360463.0000000000480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllmswsock.dll
Source: explorer.exe, 00000008.00000000.2031002716.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000008.00000000.2035366718.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000002.4459812498.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\1.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\1.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00406A18 LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_00406A18

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\1.exe	Memory allocated: C:\Windows\explorer.exe base: 1230000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Memory allocated: C:\Windows\explorer.exe base: 1240000 protect: page read and write			Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\Desktop\1.exe	Memory written: PID: 1028 base: 1240000 value: 43			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Memory written: PID: 1028 base: 1230000 value: B8			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\1.exe	Memory written: C:\Windows\explorer.exe base: 1240000			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Memory written: C:\Windows\explorer.exe base: 1230000			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"			Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"			Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00410494 LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,AllocateAndInitializeSid,AllocateAndInitializeSid,

0_2_00410494

Source: 1.exe, 00000000.00000003.2267949785.0000000004138000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorer.exe, 00000008.00000002.4470629782.0000000009BE4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3792018335.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3096212506.0000000009B7A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000008.00000000.2031428214.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.4449273187.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.2032483601.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2031428214.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.4449273187.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.2031428214.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.4449273187.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX
Source: 1.exe, 00000000.00000003.2069214748.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 IS_COEX_REPAIR=1 /qn/qb REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 BROADCASTCEFRELOAD=1 \/0\cef_/qn CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /i msiexec.exe/i ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn.msiexec.exe/i ADDLOCAL=OptionalFeatures,DistillerCJKNative,DistillerCJKSupport,PaperCaptureOptional,PreFlightPlugin DISABLE_FIU_CHECK=1 TRANSITION_INSTALL_MODE=4 SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn\msiexec.exeSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList\MRUListAcrobat.exeMRUListAppDoNotTakePDFOwnershipAtLaunch\\\AppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\RtlGetVersionntdll.dllAdobe Systems, IncorporatedAdobe Inc.Adobe Systems Incorporated1.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1kernel32IsWow64ProcessSystem\CurrentControlSet\Control\CitrixProductVersionNumSoftware\Adobe\Acrobat\ExeSoftware\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Acrobat /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770/\Click on 'Change' to select default PDF handler#32770ADelRCP.exepropertiesClick on 'Change' to select default PDF handler.pdfShowAppPickerForPDF.exeProgram ManagerPROGMANApplicationClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#3277012Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice.0Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice\InstallerSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfSOFTWARE\Adobe\Acrobat Reader\12{A6EADE66-0000-0000-484E-7E8A45000000}{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinorVersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\.0SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\PATHVersionMajorVersionMinor7760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderDCSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\\InstallerSOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\ENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdf{AC76BA86-0000-00
Source: explorer.exe, 00000008.00000000.2031428214.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.4449273187.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000000.2031002716.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4446753251.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman
Source: 1.exe, 00000000.00000003.2190991302.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0DC\InstallerENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdf{AC76BA86-0000-0000-7760-7E8A45000000}TrunkBetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.SOFTWARE\Google\Chrome\NativeMessagingHosts\Acrobat.Document.11.pdfcom.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj.VersionMajor{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\DC\InstallerLowerCoExVersionCoExRepairDone\RDCNotificationAppx\ADCNotificationAppx\NotificationAppxSOFTWARE\Adobe\Adobe Acrobat\\DC\SOFTWARE\Adobe\Adobe Acrobat\\DC\Installer\AppVersionAppVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionReleaseId/i msiexec.exe REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 IS_COEX_REPAIR=1 /qnBROADCASTCEFRELOAD=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 /qb\/\cef_ CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /qn/i msiexec.exe ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exe ADDLOCAL=OptionalFeatures,DistillerCJKNative,DistillerCJKSupport,PaperCaptureOptional,PreFlightPlugin DISABLE_FIU_CHECK=1 TRANSITION_INSTALL_MODE=4 SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeAppDoNotTakePDFOwnershipAtLaunchSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithListMRUListAcrobat.exeMRUListAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\RtlGetVersionntdll.dllAdobe Systems, IncorporatedAdobe Inc.Adobe Systems Incorporated1.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1kernel32IsWow64ProcessSystem\CurrentControlSet\Control\CitrixProdu

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\notepad.exe

Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_desktop.ini VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00408E18 GetACP,ReadFile,GlobalAlloc,ReadFile,CloseHandle,FindCloseChangeNotification,Sleep,Sleep,GetLocalTime,CreateThread,Sleep,CreateThread,CreateThread,Sleep,TranslateMessage,DispatchMessageA,Sleep,

0_2_00408E18

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00410494 LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,AllocateAndInitializeSid,AllocateAndInitializeSid,

0_2_00410494

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00404091 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

0_2_00404091

Lowering of HIPS / PFW / Operating System Security Settings

Disables security and backup related services

Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior

OS version to string mapping found (often used in BOTs)

Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\workspace\RT_Win_8_2\Mainline\Headlights\LogTransport\main\Application\source\xplat\Uploader.cpp
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <AdobeIP#0000682>D:\workspace\RT_Win_8_2\Mainline\Headlights\LogTransport\main\Application\source\xplat\LogTransportDriver.cppLogTransUtils::GetUserLogFullPath emptysUsrConfigemptysSonarEmptysPersonGuid emptyGet Sonar from server, Sonar: %0a%0d\-110SOFTWARE\Policies\Adobe\APIPHLSOFTWARE\Policies\Adobe\APIPCCenabledActiveKillHibernateoptstateGet config Response Headers:]:[imsnakilloptoutOptstate doesn't have a valid value, will retryPIIP server is not available to fetch user's optstate right now, will retryKill switch enabled from receiver, deleting all the highbeam logs created on this machineOptstate is Opt out, deleting logsOptstate is Opt in, will upload logsGet Config from server, config: .xml.rdy.tmpprocessFiles failureGetSonarFile failedGetConfigFile failedLog upload failed and Going to sleepMove Low Right Logs...\Adobe\LogTransport2CC\Logs\].] to [Moving file [Commandline Arguments: ] = argv[Get Resource Locker failNo person GUID passed in, will exit.Anonymous user logs will be sent to headlights receiversSigned in user logs will be sent to highbeam receiversGet user data failInstaller kill switch is enabled!, ulogstatus=, url=, retryinterval=, maxretries=: maxdiskspace=Local configTry to send logsTry to send pre-release logs only as status is killcfInfo.msUlogStatus != LOGTRANSPORTLIB_ACTIVEException happensHouse keepingException happens in HouseKeeping------return in main------LogTranpsport received signal to shut downMemory allocation fails!tlog.log, File size is more than the thresholdDeleting log file Upload started for Upload succeeded for Exception: In Upload fileMaxTransportRetriesMessageSendIntervalBaseUrlMaxOfflineStoreSizeHousekeepingDiscardSessionsCrashDetectionTimeMaxNetworkRetryIntervalNo real time data available in offline db nowdeque<T> too longAdobe\LogTransport2CCAdobe\RTTransfer\Logs\Adobe\RTTransfer\sonar_policy.xml\RTTransfer.configABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/Open registry with key: with key: Query registry value with key: Create registry entry with key: Set registry value
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: LogTransportClose HTTP connection!D:\workspace\RT_Win_8_2\Mainline\Headlights\LogTransport\main\Application\source\xplat\Uploader.cpp
Source: 1.exe, 00000000.00000003.2267949785.0000000004138000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\workspace\RT_Win_8_2\Mainline\public\binary\Win\x64\Release\LogTransport2.pdbTTNGCTL
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\workspace\RT_Win_8_2\Mainline\Headlights\LogTransport\main\Application\source\xplat\LogTransportDriver.cpp
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\workspace\RT_Win_8_2\Mainline\public\binary\Win\x64\Release\LogTransport2.pdb

Remote Access Functionality

Yara detected Hancitor

Source: Yara match

File source: Process Memory Space: 1.exe PID: 4324, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.127
192.168.2.124
192.168.2.125
192.168.2.128
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.123
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.130
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.94
192.168.2.132
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227
192.168.2.107
192.168.2.228
192.168.2.100
192.168.2.221
192.168.2.101
192.168.2.222
192.168.2.220
192.168.2.115
192.168.2.236
192.168.2.116
192.168.2.237
192.168.2.113
192.168.2.234
192.168.2.114
192.168.2.235
192.168.2.119
192.168.2.117
192.168.2.238
192.168.2.118
192.168.2.239
192.168.2.111
192.168.2.232
192.168.2.112
192.168.2.233
192.168.2.230
192.168.2.110
192.168.2.231
192.168.2.203
192.168.2.204
192.168.2.201
192.168.2.202
192.168.2.207
192.168.2.208
192.168.2.205
192.168.2.206

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://258ip.com/down/update1.exehttp://258ip.com/down/update2.exehttp://258ip.com/down/update3.exeh

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Viking.BD.Upk

Multi AV Scanner detection for dropped file

Source: C:\Windows\Dll.dll	ReversingLabs: Detection: 86%
Source: C:\Windows\rundl132.exe	ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: 1.exe

Virustotal: Detection: 87%

Perma Link

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 1.exe

Joe Sandbox ML: detected

Location Tracking

Yara detected Hancitor

Source: Yara match

File source: Process Memory Space: 1.exe PID: 4324, type: MEMORYSTR

Uses 32bit PE files

Source: 1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\7-Zip\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\7-Zip\Lang\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\locales\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\swiftshader\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\CAN\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\DEU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\FRA\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\JPN\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\UK\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Javascripts\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ar_AE\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\cs_CZ\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\da_DK\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\de_DE\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\el_GR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_AE\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_GB\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_IL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_US\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\es_ES\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fi_FI\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_FR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_MA\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\he_IL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\hu_HU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\it_IT\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ja_JP\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ko_KR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nb_NO\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nl_NL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pl_PL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pt_BR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ru_RU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sk_SK\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sl_SI\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sv_SE\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\tr_TR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\uk_UA\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_CN\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_TW\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\en_US\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\ie\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\regular\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\PMP\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\MPP\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\prc\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\private\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\prod\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\stage\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\fonts\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\fonts\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\app\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\app\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\app\dev\cef\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\app\dev\libs\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\core\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\core\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\core\dev\cef\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\core\dev\libs\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\files\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\files\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\files\dev\cef\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\files\dev\libs\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\hi_contrast\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\hi_contrast\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app-api\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app-api\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\microsoftGraph\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\require\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\require\2.1.15\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\misc\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themeless_Reader\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\ccpdf\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\images\themeless\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\collect_feedback\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\collect_feedback\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\collect_feedback\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\dc-annotations\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini	Jump to behavior

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: 1.exe, 00000000.00000003.2288712461.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
Source:	Binary string: NisSrv.pdb source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: 1.exe, 00000000.00000003.2073003378.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroCEF\AcroCEF.pdbI source: 1.exe, 00000000.00000003.2086159442.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: plugin-container.pdb source: 1.exe, 00000000.00000003.2243476720.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: tnameserv.exe.0.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatExe.pdb source: 1.exe, 00000000.00000003.2069214748.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: 1.exe, 00000000.00000003.2072329052.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\initialexe\chrome.exe.pdb source: 1.exe, 00000000.00000003.2199695779.00000000042BC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: 1.exe, 00000000.00000003.2303685427.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, GoogleCrashHandler64.exe.0.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AdobeCollabSync.pdb# source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pingsender.pdb source: 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\click2run\x-none\IntegratedOffice.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_acro.pdbT source: 1.exe, 00000000.00000003.2094191005.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: 1.exe, 00000000.00000003.2073003378.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: 1.exe, 00000000.00000003.2287533320.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, integrator.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
Source:	Binary string: private_browsing.pdb source: 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: 1.exe, 00000000.00000003.2072329052.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: 1.exe, 00000000.00000003.2299846343.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleCrashHandler_unsigned.pdb source: 1.exe, 00000000.00000003.2302768967.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, integrator.exe.0.dr
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: 1.exe, 00000000.00000003.2083949774.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: VSTOInstaller.pdb source: 1.exe, 00000000.00000003.2299284398.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, VSTOInstaller.exe.0.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\elevation_service.exe.pdb source: 1.exe, 00000000.00000003.2209901402.0000000004071000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: 1.exe, 00000000.00000003.2099466968.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jim\Desktop\metro research\ApplicationID\Release\ApplicationID.pdb source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb source: 1.exe, 00000000.00000003.2073322688.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdate_unsigned.pdb source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\setup.exe.pdb source: 1.exe, 00000000.00000003.2215777859.0000000004071000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: private_browsing.pdbp source: 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: 1.exe, 00000000.00000003.2099192699.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: 1.exe, 00000000.00000003.2083949774.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb source: 1.exe, 00000000.00000003.2296957210.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\click2run\x-none\IntegratedOffice.pdb source: 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_pwa_launcher.exe.pdb source: 1.exe, 00000000.00000003.2207469171.0000000004071000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: tnameserv.exe.0.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\AcrobatExe.pdb source: 1.exe, 00000000.00000003.2190991302.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: 1.exe, 00000000.00000003.2287533320.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: 1.exe, 00000000.00000003.2084471694.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleCrashHandler64_unsigned.pdbl source: 1.exe, 00000000.00000003.2303685427.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, GoogleCrashHandler64.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb8 source: 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleCrashHandler_unsigned.pdbp source: 1.exe, 00000000.00000003.2302768967.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdb source: 1.exe, 00000000.00000003.2083187341.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\workspace\RT_Win_8_2\Mainline\public\binary\Win\x64\Release\LogTransport2.pdbTTNGCTL source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: minidump-analyzer.pdb source: 1.exe, 00000000.00000003.2241462892.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_proxy.exe.pdb source: 1.exe, 00000000.00000003.2205445463.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: orbd.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: 1.exe, 00000000.00000003.2296957210.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_acro.pdb source: 1.exe, 00000000.00000003.2094191005.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe_x64.pdb source: 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\notification_helper.exe.pdb source: 1.exe, 00000000.00000003.2212956369.0000000004071000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: NisSrv.pdbGCTL source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb22 source: 1.exe, 00000000.00000003.2073322688.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: orbd.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
Source:	Binary string: default-browser-agent.pdb source: 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: updater.pdb source: 1.exe, 00000000.00000003.2244536391.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: 1.exe, 00000000.00000003.2099192699.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AdobeCollabSync.pdb source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: 1.exe, 00000000.00000003.2300597090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb source: 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroCEF\AcroCEF.pdb source: 1.exe, 00000000.00000003.2086159442.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: 1.exe, 00000000.00000003.2084471694.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\mozilla-source\mozilla-central\other-licenses\nsis\Contrib\HttpPostFile\Release\HttpPostFile.pdb source: 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdbQ source: 1.exe, 00000000.00000003.2083187341.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\workspace\RT_Win_8_2\Mainline\public\binary\Win\x64\Release\LogTransport2.pdb source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\Desktop\1.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: e:	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: c:	Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404A80 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_00404A80
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404A7E FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_00404A7E
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00412274 FindFirstFileA,FindNextFileA,FindFirstFileA,FindNextFileA,FindFirstFileA,Sleep,FindNextFileA,	0_2_00412274
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00412270 FindFirstFileA,FindNextFileA,FindFirstFileA,FindNextFileA,FindFirstFileA,Sleep,FindNextFileA,	0_2_00412270

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2804962 ETPRO TROJAN Win32/Viking.GN ICMP Echo Request 192.168.2.5: -> 192.168.2.1:
Source: Traffic	Snort IDS: 2008017 ET TROJAN Philis.J ICMP Sweep (Payload Hello World) 192.168.2.1: -> 192.168.2.5:

Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, integrator.exe.0.dr	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedStateInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: 1.exe, 00000000.00000002.4450973243.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4450486239.0000000001F60000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://258ip.com/down/update1.exehttp://258ip.com/down/update2.exehttp://258ip.com/down/update3.exeh
Source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243476720.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2212956369.00000000041A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: explorer.exe, 00000008.00000002.4467406438.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4467406438.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2212956369.00000000041A4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2069214748.00000000045B9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2073003378.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2073322688.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: explorer.exe, 00000008.00000002.4446753251.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2031002716.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2212956369.00000000041A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243476720.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000008.00000002.4467406438.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4467406438.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2212956369.00000000041A4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2069214748.00000000045B9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2073003378.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2073322688.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: unpack200.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243476720.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: explorer.exe, 00000008.00000002.4467406438.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4467406438.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2212956369.00000000041A4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2299846343.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2207469171.00000000041DF000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2302768967.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2205445463.0000000004174000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2300597090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2303685427.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2209901402.0000000004200000.00000004.00001000.00020000.00000000.sdmp, tnameserv.exe.0.dr, orbd.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2069214748.00000000045B9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2073003378.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2073322688.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099192699.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2288712461.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2287533320.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099466968.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2083949774.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072329052.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2083187341.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://es5.github.io/#x15.4.4.21
Source: 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com
Source: 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.comnot
Source: 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270118590.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2212956369.00000000041A4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243476720.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000008.00000000.2035366718.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4467406438.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: explorer.exe, 00000008.00000000.2034860776.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.4464152797.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.4466202794.0000000008890000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/a/1465386/4224163
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/a/15123777)
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/questions/1026069/capitalize-the-first-letter-of-string-in-javascript
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/questions/1068834/object-comparison-in-javascript
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.activestate.com
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.activestate.comHolger
Source: 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2038353253.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.baanboard.com
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.baanboard.comBrendon
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.computerhope.com/forum/index.php?topic=76293.0
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.develop.com
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.develop.comDeepak
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2086159442.000000000430A000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.lua.org
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.rftp.com
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.rftp.comJosiah
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.scintilla.org
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spaceblue.com
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spaceblue.comMathias
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.tutorialspoint.com/javascript/array_map.htm
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachine
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachinehttps://PrefSyncJob/com
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/RFList
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload
Source: explorer.exe, 00000008.00000003.3790282794.000000000C512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2037794492.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4476952895.000000000C512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3096602674.000000000C50F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000008.00000002.4459812498.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2032781472.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000008.00000000.2035366718.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4467406438.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000008.00000000.2032781472.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4459812498.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000008.00000003.3789329026.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4452064675.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2031787683.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: 1.exe, 00000000.00000003.2212956369.0000000004071000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2215777859.0000000004071000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: 1.exe, 00000000.00000003.2212956369.0000000004071000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report..
Source: 1.exe, 00000000.00000003.2069214748.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxBrowser
Source: 1.exe, 00000000.00000003.2190991302.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxupdate_urlBrowser
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io
Source: 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/annots_metadata.jsonld
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/bulk_entity_v1.json
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/entity_v1.json
Source: 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/user_comment_metadata_result_v1.json
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: 1.exe, 00000000.00000003.2215777859.0000000004071000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.00000000042BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashpad.chromium.org/
Source: 1.exe, 00000000.00000003.2215777859.0000000004071000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.00000000042BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: 1.exe, 00000000.00000003.2215777859.0000000004071000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2199695779.00000000042BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: 1.exe, 00000000.00000003.2069214748.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2190991302.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/820996
Source: 1.exe, 00000000.00000003.2190991302.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/820996LaunchElevatedProcessXML
Source: 1.exe, 00000000.00000003.2069214748.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/820996LaunchElevatedProcessdisable-best-effort-tasksdisable-breakpaddisable-featur
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dc-api.adobe.io/discovery
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dc-api.adobe.io/discoverySoftware
Source: 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dc-api.adobe.io/schemas/discovery_v1.json
Source: 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dc-api.adobe.io/schemas/folder_listing_v1.json
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/Reduce
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/filter
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/indexOf
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/Trim
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith
Source: explorer.exe, 00000008.00000002.4470629782.0000000009BE4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3792018335.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3096212506.0000000009B7A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3097392066.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1
Source: 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1MaybeMigrateVersion1118.0.1.0in
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/default-browser-agent/default-browser/1/Hash
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/telemetry/
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-%s.xml
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xml
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xmlhttps://javadl-esd-secure.oracle.com/upda
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lifecycleapp.operationlifecycle.shutdownlifecycle.startuptimer.starttimertimer.stoppedtimer.
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244536391.0000000002030000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243476720.0000000002011000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org0/
Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, integrator.exe.0.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.comBasicX-MS-ReduceTelemetryX-MS
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://notify-stage.adobe.io/ans
Source: 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://notify-stage.adobe.io/ans/
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://notify-stage.adobe.io/anshttps://notify.adobe.io/ansEnableDesktopNotificationlocale
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://notify.adobe.io/ans
Source: 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://notify.adobe.io/ans/
Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, integrator.exe.0.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://otelrules.azureedge.net/rules/officec2rclient.exeonenote.exesdxhelper.exe
Source: explorer.exe, 00000008.00000002.4470629782.0000000009BE4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3792018335.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3096212506.0000000009B7A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3097392066.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p13n-stage.adobe.io/psdk/v2/content?
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p13n-stage.adobe.io/psdk/v2/content?https://p13n.adobe.io/psdk/v2/content?%Y-%m-%dT%H:%M:%SZ
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p13n.adobe.io/psdk/v2/content?
Source: explorer.exe, 00000008.00000000.2037794492.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4475814466.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://qsurvey.mozilla.com/s3/FF-Desktop-Post-Uninstall?channel=release&version=118.0.1&osversion=
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reviews.adobe.io
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reviews.adobe.iourifullpayloadlinksinvitationURIreviewURIcommentingAssetURNEurekaInvitationI
Source: 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.com
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.com.adobe.ioassetUrnreviewUrnFilesFile
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.com0
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comAcroCoreSyncSharedReviewLoggingEnabledAcrobat_DesktopUserhttps://comments.ad
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comK
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comReadStatus
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comcommandNameAdd_AnnotsDelete_AnnotsUpdate_AnnotsEurekaReviewFetchReviewUpdate
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comemptyAnnotations
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comhttps://scss.adobesc.comhttps://scss.adobesc.com
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.cominvalidAnnotIdList
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comreasoncom.adobe.review.sdk
Source: 1.exe, 00000000.00000003.2215777859.00000000043EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=usage_stats_crash_reports
Source: 1.exe, 00000000.00000003.2215777859.0000000004071000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome?p=chrome_uninstall_surveymicrosoft-edge:open..
Source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingsopen
Source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingsuninstall_ping_
Source: 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.orgPublisherUninstallString
Source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: explorer.exe, 00000008.00000000.2035366718.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4467406438.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000008.00000000.2035366718.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4467406438.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon
Source: 1.exe, 00000000.00000003.2067578849.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.7-zip.org/
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/8
Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243476720.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 1.exe, 00000000.00000003.2086159442.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/oauth2/authorize
Source: 1.exe, 00000000.00000003.2086159442.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/oauth2/authorizeInvalidBrowserSettingsBrowserCreationFailedInvalidRenderHand
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/118.0.1/releasenoteshttps://www.mozilla.orgNoModifyNoRepair/S=0K
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.smartsharesystems.com/
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.smartsharesystems.com/Morten

Installs a raw input device (often for capturing keystrokes)

Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_8e48fb1d-2

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: 1.exe PID: 4324, type: MEMORYSTR

System Summary

PE file has nameless sections

Source: Dll.dll.0.dr	Static PE information: section name:
Source: Dll.dll.0.dr	Static PE information: section name:
Source: Dll.dll.0.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_004059A8 GetProcAddress,NtOpenThread,FreeLibrary,		0_2_004059A8
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00405A5B GetProcAddress,NtOpenThread,FreeLibrary,		0_2_00405A5B

Creates files inside the system directory

Source: C:\Users\user\Desktop\1.exe	File created: C:\Windows\rundl132.exe			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Windows\Dll.dll			Jump to behavior

Sample file is different than original file name gathered from version info

Source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefirefox.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefault-browser-agent.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroTextExtractor.exe~/ vs 1.exe
Source: 1.exe, 00000000.00000003.2199695779.0000000004307000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2294377748.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejusched.exe\ vs 1.exe
Source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameApplicationID.dll< vs 1.exe
Source: 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdobeCollabSync.exe> vs 1.exe
Source: 1.exe, 00000000.00000002.4451156723.0000000002C03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdobeCollabSync.exef# vs 1.exe
Source: 1.exe, 00000000.00000003.2212956369.0000000004071000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: unknown error %dthread::detach failed__thread_specific_ptr construction failed..\..\base\win\scoped_winrt_initializer.ccoperator()..\..\base\files\file_util_win.ccMakeAbsoluteFilePathReplaceFileWPathExistsDirectoryExistsC:\CreateAndOpenTemporaryFileInDir.tmpGetSecureSystemTempSystemTempCreateDirectoryAndGetErrorMakeLongFilePathGetCurrentDirectoryWWDDoDeleteFile*PathHasAccess..\..\base\file_version_info_win.ccCreateFileVersionInfoWinCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\unordered container erase(iterator) called with a non-dereferenceable iterator..\..\third_party\libc++\src\include\__hash_table..\..\base\metrics\persistent_histogram_storage.ccCould not write "" persistent histograms to file as the storage base directory is not properly set." persistent histograms to file as the storage directory cannot be created." persistent histograms to file as the storage directory does not exist.%04d%02d%02d%02d%02d%02dPersistent histograms fail to write to file: WaitableEvent::Signal..\..\base\synchronization\waitable_event.ccTimedWaitWaitableEvent::Wait Complete 000000000000 vs 1.exe
Source: 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcrobatInfo.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprivate_browsing.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2240859710.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemaintenanceservice_installer.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejavaws.exeX vs 1.exe
Source: 1.exe, 00000000.00000003.2267949785.000000000414D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs 1.exe
Source: 1.exe, 00000000.00000003.2244536391.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameupdater.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2265959897.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAu3Info.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2094191005.0000000004297000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameadobe_licensing_wf.exeF vs 1.exe
Source: 1.exe, 00000000.00000003.2243476720.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameplugin-container.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameadobe_licensing_wf_helper.exeT vs 1.exe
Source: 1.exe, 00000000.00000003.2246792271.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamehelper.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2190991302.00000000044C9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcrobat.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2086159442.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroCEF.exe> vs 1.exe
Source: 1.exe, 00000000.00000003.2086159442.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroCEF.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWCChromeNativeMessagingHost.exeB vs 1.exe
Source: 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroBroker.exe~/ vs 1.exe
Source: 1.exe, 00000000.00000003.2067578849.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zFM.exe, vs 1.exe
Source: 1.exe, 00000000.00000003.2289661125.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejaureg.exe\ vs 1.exe
Source: 1.exe, 00000000.00000003.2212956369.00000000041A4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenotification_helper.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe6 vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exeH vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exeD vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exeB vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe> vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe8 vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe: vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exeF vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exeJ vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exeP vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exeL vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe@ vs 1.exe
Source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe4 vs 1.exe
Source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs 1.exe
Source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMpCmdRun.exej% vs 1.exe
Source: 1.exe, 00000000.00000003.2069214748.00000000045B9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcrobat.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2073003378.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameADelRCP.dll\ vs 1.exe
Source: 1.exe, 00000000.00000003.2296957210.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameliclua.exen' vs 1.exe
Source: 1.exe, 00000000.00000003.2073322688.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameADNotificationManager.exe vs 1.exe
Source: 1.exe, 00000000.00000002.4451156723.0000000002687000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameosppsvc.exeD vs 1.exe
Source: 1.exe, 00000000.00000003.2099192699.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename32BitMAPIBroker.exeD vs 1.exe
Source: 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Error3, 3, 16, 1Aut2ExeAutoItIt is a violation of the AutoIt EULA to attempt to reverse engineer this program.Application integrity can't be verified.Aut2Exe - v (AutoIt Script to EXE Converter)Software\AutoIt v3\AutoItSoftware\AutoIt v3\Aut2ExeSoftware\HiddenSoft\AutoIt3\Aut2ExeLastScriptDirLastExeDirLastIconDirLastIconLastCompressionUseUPX\AutoIt v3\Aut2Exetmp/in/out/icon/pass/nodecompile/compression/comp/nopack/pack/ansi/unicode/x86/x64/bin/nobeeperror/gui/console/execlevelHIGHESTAVAILABLEREQUIREADMINISTRATORNONE/ignoredirectives/inputboxres/comments/companyname/filedescription/internalname/legalcopyright/legaltrademarks/originalfilename/productname/fileversion,/productversion.a3x.exeAutoIt files (.au3).au3All files (.).au3Encoded script files (.a3x).a3xExecutable files (.exe).exea3xexeIcon files (.ico).icoicoReadyAbor&t&Convert.tokCompiling script...AutoItSC_x64.binAutoItSC.binBIN64BIN32Error: Unable to extract interpreter.Error: Unable to create temporary executable: vs 1.exe
Source: 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Aborting...%s (%d%% Complete / %d%% Compression)requireAdministratorasInvokerhighestAvailableVS_VERSION_INFOStringFileInfoVarFileInfoTranslationCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenameProductNameProductVersion."upx.exe" --best --compress-icons=0 --keep-resource=10/SCRIPT " vs 1.exe
Source: 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: #includeRun Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).#include depth exceeded. Make sure there are no recursive includesError opening the fileBad directive syntax errorUnterminated string#pragma compile#notrayicon#requireadmin#OnAutoItStartRegister#include-onceCannot parse #include#comments-start#csUnterminated group of comments#comments-end#ce)'CONSOLEAUTOITEXECUTEALLOWEDUPXX64COMPRESSIONICONOUTCOMPATIBILITYEXECLEVELINPUTBOXRESCOMMENTSCOMPANYNAMEFILEDESCRIPTIONFILEVERSIONINTERNALNAMELEGALCOPYRIGHTLEGALTRADEMARKSORIGINALFILENAMEPRODUCTNAMEPRODUCTVERSION vs 1.exe
Source: 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Aut2Exe.exe /in <infile.au3> [/out <outfile.exe>] [/icon <iconfile.ico>] [/comp 0-4] [/ignoredirectives] [/nopack] [/pack] [/ansi] [/unicode] [/x64] [/console] [/gui] [/execlevel <asinvoker \| highestavailable \| requireadministrator \| none>] [/compatibility <vista \| win7 \| win8>] [/comments <>] [/companyname <>] [/filedescription <>] [/internalname <>] [/legalcopyright <>] [/legaltrademarks <>] [/originalfilename <>] [/productname <>] [/fileversion <fixednum[,num]>] [/productversion <fixednum[,num]>](Error: Unable to create temporary files.]Error: An error was encountered while trying to read in the script file and/or include files.-Error: Unable to create the compiled archive.+Error: Invalid "FileInstall" syntax found. ;Error: Unable to execute upx.exe to compress stub file: vs 1.exe
Source: 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAut2Exe.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2066189792.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.exe, vs 1.exe
Source: 1.exe, 00000000.00000003.2288712461.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearmsvc.exeN vs 1.exe
Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNisSrv.exej% vs 1.exe
Source: 1.exe, 00000000.00000003.2299846343.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejava.exeN vs 1.exe
Source: 1.exe, 00000000.00000003.2099466968.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename64BitMAPIBroker.exeD vs 1.exe
Source: 1.exe, 00000000.00000003.2207469171.00000000041DF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome_pwa_launcher.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSciTE.EXE, vs 1.exe
Source: 1.exe, 00000000.00000003.2190991302.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Lfile_version_info_win.ccCreateFileVersionInfoWinCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\SetThreadDescriptionUnknown priority.::GetThreadPriority returned G vs 1.exe
Source: 1.exe, 00000000.00000003.2083949774.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCRWindowsClientService.exeZ vs 1.exe
Source: 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecrashreporter.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2302768967.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2241462892.000000000207F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameminidump-analyzer.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2068340277.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zg.exe, vs 1.exe
Source: 1.exe, 00000000.00000003.2072329052.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroSpeedLaunch.exeD vs 1.exe
Source: 1.exe, 00000000.00000003.2068797001.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUninstall.exe, vs 1.exe
Source: 1.exe, 00000000.00000003.2083187341.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCRLogTransport .exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2205445463.0000000004174000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome_proxy.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2266970768.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3Help.exe8 vs 1.exe
Source: 1.exe, 00000000.00000003.2300597090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejavaw.exeN vs 1.exe
Source: 1.exe, 00000000.00000003.2074834480.0000000004AA1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdobeCollabSync.exe> vs 1.exe
Source: 1.exe, 00000000.00000003.2074834480.0000000004AA1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdobeCollabSync.exef# vs 1.exe
Source: 1.exe, 00000000.00000003.2299284398.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVSTOInstaller.exe^ vs 1.exe
Source: 1.exe, 00000000.00000003.2225154341.00000000044F3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIntegratedOffice.exeB vs 1.exe
Source: 1.exe, 00000000.00000003.2084471694.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEula.exe* vs 1.exe
Source: 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepingsender.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2291219135.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejucheck.exe\ vs 1.exe
Source: 1.exe, 00000000.00000002.4450973243.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename" vs 1.exe
Source: 1.exe, 00000000.00000002.4451156723.00000000025B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIntegrator.exeB vs 1.exe
Source: 1.exe, 00000000.00000003.2303685427.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGoogleUpdate.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemaintenanceservice.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2209901402.0000000004200000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameelevation_service.exe< vs 1.exe
Source: 1.exe, 00000000.00000003.2215777859.0000000004071000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ..\..\base\files\file_util_win.ccMakeAbsoluteFilePathDeleteFileAfterRebootReplaceFileWPathExistsDirectoryExistsC:\CreateAndOpenTemporaryFileInDir.tmpCreateTemporaryDirInDirGetSecureSystemTempSystemTempCreateDirectoryAndGetErrorMakeLongFilePathGetFileInfoOpenFileWriteFileGetCurrentDirectoryWSetCurrentDirectoryWWDMoveUnsafeCopyAndDeleteDirectoryDoDeleteFile*DoCopyDirectoryPathHasAccessDoCopyFile..\..\base\files\file_enumerator_win.ccNext..\..\base\file_version_info_win.ccCreateFileVersionInfoWinCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\..\..\base\metrics\persistent_histogram_storage.ccCould not write "" persistent histograms to file as the storage base directory is not properly set." persistent histograms to file as the storage directory cannot be created." persistent histograms to file as the storage directory does not exist.%04d%02d%02d%02d%02d%02dPersistent histograms fail to write to file: scoped_dir..\..\base\files\file_util.ccReadStreamToSpanWithMaxSizeinvalid vs 1.exe
Source: 1.exe, 00000000.00000003.2266435450.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAu3Info.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: F@ Error3, 3, 16, 1Aut2ExeAutoItIt is a violation of the AutoIt EULA to attempt to reverse engineer this program.Application integrity can't be verified.Aut2Exe - v (AutoIt Script to EXE Converter)Software\AutoIt v3\AutoItSoftware\AutoIt v3\Aut2ExeSoftware\HiddenSoft\AutoIt3\Aut2ExeLastScriptDirLastExeDirLastIconDirLastIconLastCompressionUseUPX\AutoIt v3\Aut2Exetmp/in/out/icon/pass/nodecompile/compression/comp/nopack/pack/ansi/unicode/x86/x64/bin/nobeeperror/gui/console/execlevelHIGHESTAVAILABLEREQUIREADMINISTRATORNONE/ignoredirectives/inputboxres/comments/companyname/filedescription/internalname/legalcopyright/legaltrademarks/originalfilename/productname/fileversion,/productversion.a3x.exeAutoIt files (.au3).au3All files (.).au3Encoded script files (.a3x).a3xExecutable files (.exe).exea3xexeIcon files (.ico).icoicoReadyAbor&t&Convert.tokCompiling script...AutoItSC_x64.binAutoItSC.binBIN64BIN32Error: Unable to extract interpreter.Error: Unable to create temporary executable: vs 1.exe
Source: 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Aborting...%s (%d%% Complete / %d%% Compression)requireAdministratorasInvokerhighestAvailableVS_VERSION_INFOStringFileInfoVarFileInfoTranslationCommentsCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTrademarksOriginalFilenameProductNameProductVersion."upx.exe" --best --compress-icons=0 --keep-resource=10/SCRIPT " vs 1.exe
Source: 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: #includeRun Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).#include depth exceeded. Make sure there are no recursive includesError opening the fileBad directive syntax errorUnterminated string#pragma compile#notrayicon#requireadmin#OnAutoItStartRegister#include-onceCannot parse #include#comments-start#csUnterminated group of comments#comments-end#ce)'CONSOLEAUTOITEXECUTEALLOWEDUPXX64COMPRESSIONICONOUTCOMPATIBILITYEXECLEVELINPUTBOXRESCOMMENTSCOMPANYNAMEFILEDESCRIPTIONFILEVERSIONINTERNALNAMELEGALCOPYRIGHTLEGALTRADEMARKSORIGINALFILENAMEPRODUCTNAMEPRODUCTVERSION vs 1.exe
Source: 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Aut2Exe.exe /in <infile.au3> [/out <outfile.exe>] [/icon <iconfile.ico>] [/comp 0-4] [/ignoredirectives] [/nopack] [/pack] [/ansi] [/unicode] [/x64] [/console] [/gui] [/execlevel <asinvoker \| highestavailable \| requireadministrator \| none>] [/compatibility <vista \| win7 \| win8>] [/comments <>] [/companyname <>] [/filedescription <>] [/internalname <>] [/legalcopyright <>] [/legaltrademarks <>] [/originalfilename <>] [/productname <>] [/fileversion <fixednum[,num]>] [/productversion <fixednum[,num]>](Error: Unable to create temporary files.]Error: An error was encountered while trying to read in the script file and/or include files.-Error: Unable to create the compiled archive.+Error: Invalid "FileInstall" syntax found. ;Error: Unable to execute upx.exe to compress stub file: vs 1.exe
Source: 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAut2Exe.exe0 vs 1.exe
Source: 1.exe, 00000000.00000003.2265360973.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAu3Check.exeN vs 1.exe
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLogTransport2.exe0 vs 1.exe
Source: 1.exe	Binary or memory string: OriginalFilename" vs 1.exe

Uses 32bit PE files

Source: 1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@13/1028@0/100

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_004056C4 CreateToolhelp32Snapshot,

0_2_004056C4

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00404372 FindResourceA,

0_2_00404372

Source: C:\Users\user\Desktop\1.exe

File created: C:\Program Files\_desktop.ini

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000014.db

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6584:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03

Source: Yara match

File source: 00000000.00000002.4447030091.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\1.exe

File read: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\_desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT content_item_relations.src_content_item_id, branches.download_state, content_items.creation_id,branches.content_item_id,branches.record_created, branches.modified, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content, (select 1 from branches where branch_name = 'conflict' AND content_item_id = :id) as is_conflicted,(SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND branches.content_item_id = :id AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base' AND branches.content_item_id = :id))))) as is_sync_pending, (SELECT resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN resource_content ON (resource_revisions.hash = resource_content.resource_content_id) WHERE( branches.content_item_id = :id AND branches.branch_name = 'error' AND branches.app_id = :appId)) as error_payload FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources ON (branches.content_item_revision
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE branches SET content_item_revision_id = :contentItemRevisionId, modified = :modified, download_state = :downloadState WHERE( content_item_id = :contentItemId AND branch_name = :branchName AND app_id = :appId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS resource_content ( resource_content_id TEXT PRIMARY KEY NOT NULL, resource_content TEXT NOT NULL);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO content_items( creation_id, asset_id, type, content_item_type, created, removed_from_server, pending_local_delete) VALUES( :creationId, :assetId, :type, :contentItemType, :created, :removedFromServer, :pendingLocalDelete);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests WHERE( request_type = :requestType);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT OR REPLACE INTO branches( content_item_id, content_item_revision_id, branch_name, app_id, is_transient, record_created, modified, download_state) VALUES( :contentItemId, :contentItemRevisionId, :branchName, :appId, :isTransient, :recordCreated, :modified, :downloadState);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE content_items SET pending_local_delete = :pendingLocalDelete WHERE( creation_id = :creationId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT OR REPLACE INTO content_item_relations( src_content_item_id, target_content_item_id, rel) VALUES( :srcContentItemId, :targetContentItemId, :rel);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO resource_revisions( revision_id, rel_to_content_item, resource_type, media_type, locator, committed, hashType, hash, storageSize, width, height) VALUES( :revisionId, :relToContentItem, :resourceType, :mediaType, :locator_var, :committed_var, :hashType_var, :hash_var, :storageSize_var, :width_var, :height_var);
Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp, integrator.exe.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS branches ( content_item_id TEXT NOT NULL, content_item_revision_id TEXT NOT NULL, branch_name TEXT NOT NULL, app_id TEXT NOT NULL, is_transient INTEGER DEFAULT 0 NOT NULL, record_created TIMESTAMP NOT NULL, modified TIMESTAMP NOT NULL, download_state TEXT DEFAULT NULL, PRIMARY KEY (content_item_id, branch_name, app_id));
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_resources ( content_item_revision_id TEXT NOT NULL, resource_revision_id TEXT NOT NULL, resource_id TEXT DEFAULT NULL, resource_cloud_etag TEXT DEFAULT NULL, resource_cloud_version_id TEXT DEFAULT NULL, resource_local_etag TEXT DEFAULT NULL, resource_local_version_id TEXT DEFAULT NULL, PRIMARY KEY (content_item_revision_id, resource_revision_id));
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO device_mappings( device_mapping_id, content_item_id, collection_id, content_item_type, include_rel_types, include_depth, branch, TTL, Priority, app_info) VALUES( :deviceMappingId, :contentItemId, :collectionId, :contentItemType, :includeRelTypes, :includeDepth, :branch, :TTL, :priority, :appInfo);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO content_item_resources( content_item_revision_id, resource_revision_id) VALUES( :contentItemRevisionId, :resourceRevisionId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO branches ( content_item_id, content_item_revision_id, branch_name, app_id, is_transient, record_created, modified, download_state) VALUES( :contentItemId, :contentItemRevisionId, :branchName, :appId, :isTransient, :recordCreated, :modified, :downloadState);
Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp, integrator.exe.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE content_items SET removed_from_server = :removedFromServer WHERE( creation_id = :creationId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE branches SET modified = :modified WHERE( content_item_id = :contentItemId AND branch_name = :branchName AND app_id = :appId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT branches.content_item_id FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = :branch1 AND branches.content_item_id = :contentItemId AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = :branch2 AND branches.content_item_id = :contentItemId))));
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Select Count(SessionId) from DataTable;
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS resource_revisions ( revision_id TEXT PRIMARY KEY NOT NULL, rel_to_content_item TEXT NOT NULL, resource_type TEXT NOT NULL, media_type TEXT NOT NULL, locator TEXT NOT NULL, committed INTEGER NOT NULL, hashType TEXT DEFAULT NULL, hash TEXT DEFAULT NULL, storageSize INTEGER DEFAULT 0, width INTEGER DEFAULT 0, height INTEGER DEFAULT 0);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: select count(*) from SQLITE_MASTER where type = "table";
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE content_items SET pending_local_delete = :pendingLocalDelete WHERE( creation_id = :creationId);
Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp, integrator.exe.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO content_item_revisions( content_item_revision_id, cloud_etag, updated, local_etag, request_id, content_name) VALUES( :contentIemRevisionId, :cloudEtag, :updated, :localEtag, :requestId, :contentName);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_revisions( content_item_revision_id TEXT PRIMARY KEY NOT NULL, cloud_etag TEXT DEFAULT NULL, cloud_version_id TEXT DEFAULT NULL, updated TIMESTAMP DEFAULT NULL, acl TEXT DEFAULT NULL, local_etag TEXT DEFAULT NULL, local_version_id TEXT DEFAULT NULL, request_id TEXT DEFAULT NULL, content_name TEXT DEFAULT NULL);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_items( creation_id TEXT PRIMARY KEY NOT NULL, asset_id TEXT DEFAULT NULL, type TEXT NOT NULL, content_item_type TEXT NOT NULL, created TEXT NOT NULL, removed_from_server INTEGER DEFAULT 0 NOT NULL, pending_local_delete INTEGER DEFAULT 0 NOT NULL, update_seq_num INTEGER DEFAULT 0 NOT NULL);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS sync_tokens ( content_item_id TEXT PRIMARY KEY NOT NULL, token TEXT DEFAULT NULL, last_sync_time TIMESTAMP DEFAULT NULL, device_mapping_id TEXT DEFAULT NULL);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE pending_requests SET request_status = :requestStatus, message = :message, status_code = :statusCode WHERE( pending_request_id = :pendingRequestId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM device_mappings WHERE( content_item_id = :contentItemId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT OR REPLACE INTO branches ( content_item_id, content_item_revision_id, app_id, is_transient, record_created, modified, download_state, branch_name) SELECT content_item_id, content_item_revision_id, app_id, is_transient, record_created, modified, download_state, :targetBranchname from branches WHERE branch_name = :srcBranchname AND content_item_id = :contentItemId AND app_id = :appId;
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT branches.content_item_id FROM content_item_relations JOIN branches ON( branches.content_item_id = content_item_relations.target_content_item_id) JOIN content_items ON( content_items.creation_id = content_item_relations.target_content_item_id) WHERE( content_item_relations.src_content_item_id = :srcContentItemId AND content_item_relations.rel = :relType AND branches.app_id = :appId AND branches.branch_name = :branch1 AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id NOT IN ( SELECT branches.content_item_revision_id FROM content_item_relations JOIN branches ON( branches.content_item_id = content_item_relations.target_content_item_id) WHERE( content_item_relations.src_content_item_id = :srcContentItemId AND content_item_relations.rel = :relType AND branches.app_id = :appId AND branches.branch_name = :branch2))));
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_relations ( src_content_item_id TEXT NOT NULL, target_content_item_id TEXT NOT NULL, rel TEXT NOT NULL, PRIMARY KEY (src_content_item_id, target_content_item_id, rel));
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO pending_requests( pending_request_id, request_type, content_item_id, context) VALUES( :pendingRequestId, :requestType, :contentItemId, :context);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT *, (SELECT resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN resource_content ON (resource_revisions.hash = resource_content.resource_content_id) WHERE( branches.content_item_id = creation_id_local AND branches.branch_name = 'error' AND branches.app_id = :appId)) as error_payload, (SELECT 1 from branches where branch_name = 'conflict' AND content_item_id = creation_id_local) as is_conflicted, ( SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id and branches.content_item_id = creation_id_local) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base'))))) as is_sync_pending FROM ( SELECT content_item_relations.src_content_item_id, branches.download_state, branches.record_created, branches.modified, content_items.creation_id , content_items.creation_id as creation_id_local, branches.content_item_id, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE content_item_revisions SET local_etag = :localEtag, request_id = :requestId, updated = :updated WHERE( content_item_revision_id IN ( SELECT content_item_revision_id FROM branches WHERE( content_item_id = :contentItemId AND branch_name = :branchName ANDapp_id = :appId)));
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests WHERE( request_type = :requestType and content_item_id = :contentItemId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE device_mappings SET unPinned = 1 WHERE(content_item_id = :contentItemId);
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS DataTable(SessionId STRING PRIMARY KEY,Product STRING,UpdateTimestamp INTEGER,Status INTEGER, SchemaVersion TEXT);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS pending_requests ( pending_request_id TEXT PRIMARY KEY NOT NULL, request_type TEXT NOT NULL, content_item_id TEXT DEFAULT NULL, context TEXT DEFAULT NULL, pending_request_created TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ', 'now', 'localtime')) NOT NULL, request_status TEXT DEFAULT "CREATED" NOT NULL, message TEXT DEFAULT NULL, status_code INTEGER DEFAULT -1 NOT NULL, device_mapping_id TEXT DEFAULT NULL, UNIQUE (content_item_id, request_type, request_status));
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT content_item_revisions.cloud_etag FROM content_items JOIN branches ON (branches.content_item_id = content_items.creation_id)JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id)WHERE( content_items.asset_id = :assetId AND branches.branch_name = :branchName AND branches.app_id = :appId);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT content_items.creation_id FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) WHERE (branches.branch_name = 'current' AND branches.app_id = :appid) AND ((content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR (content_item_revisions.content_item_revision_id) NOT IN ( SELECT content_item_revisions.content_item_revision_id FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) WHERE (branches.branch_name = 'base' AND branches.app_id = :appid))) AND content_items.creation_id NOT IN ( SELECT content_item_id FROM branches WHERE( branch_name = 'error'));
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_id FROM content_items WHERE asset_id = :assetId;
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM device_mappings WHERE( unPinned = 1);
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT content_item_relations.src_content_item_id, branches.download_state, content_items.creation_id,branches.content_item_id,branches.record_created, branches.modified, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content, (select 1 from branches where branch_name = 'conflict' AND content_item_id = :id) as is_conflicted, (SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND branches.content_item_id = :id AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base' AND branches.content_item_id = :id))))) as is_sync_pending, (SELECT content_item_revisions.cloud_etag FROM content_items JOIN branches ON (branches.content_item_id = content_items.creation_id)JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id)WHERE( content_items.asset_id = :collectionId AND branches.branch_name = :branchName AND branches.app_id = :appId)) as collection_cloud_etag FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN content_item_rel
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM device_mappings WHERE( content_item_type = :resourceType);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_updates ( seq_num INTEGER PRIMARY KEY NOT NULL, app_id TEXT NOT NULL, content_item_local_id TEXT NOT NULL, time TIMESTAMP NOT NULL, operation TEXT NOT NULL);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE content_items SET asset_id = :assetId WHERE( creation_id = :creationId);
Source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp, integrator.exe.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS device_mappings ( device_mapping_id TEXT PRIMARY KEY NOT NULL, content_item_id TEXT NOT NULL, content_item_type TEXT NOT NULL, include_rel_types TEXT DEFAULT NULL, include_depth INTEGER DEFAULT 0 NOT NULL, branch TEXT DEFAULT NULL, device_mapping_created TIMESTAMP DEFAULT (strftime('%s', 'now')) NOT NULL, collection_id TEXT DEFAULT NULL, TTL INTEGER DEFAULT 0 NOT NULL, Priority INTEGER DEFAULT 0 NOT NULL, app_info TEXT NOT NULL, unPinned INTEGER DEFAULT 0 NOT NULL, UNIQUE (content_item_id, branch));
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests;
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO resource_content( resource_content_id, resource_content) VALUES ( :resourceContentId, :resourceContent);
Source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT *FROM pending_requests WHERE(content_item_id = :contentItemId);

Source: 1.exe

Virustotal: Detection: 87%

Source: C:\Users\user\Desktop\1.exe

File read: C:\Users\user\Desktop\1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_desktop.ini
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_desktop.ini	Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: schedcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: icmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

File written: C:\_desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\7-Zip\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\7-Zip\Lang\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\locales\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\swiftshader\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\CAN\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\DEU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\FRA\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\JPN\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\UK\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Javascripts\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ar_AE\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\cs_CZ\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\da_DK\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\de_DE\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\el_GR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_AE\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_GB\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_IL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_US\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\es_ES\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fi_FI\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_FR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_MA\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\he_IL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\hu_HU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\it_IT\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ja_JP\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ko_KR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nb_NO\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nl_NL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pl_PL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pt_BR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ru_RU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sk_SK\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sl_SI\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sv_SE\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\tr_TR\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\uk_UA\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_CN\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_TW\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\en_US\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\ie\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\regular\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\PMP\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\MPP\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\prc\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\private\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\prod\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\stage\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\fonts\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\fonts\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\app\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\app\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\app\dev\cef\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\app\dev\libs\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\core\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\core\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\core\dev\cef\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\core\dev\libs\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\files\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\files\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\files\dev\cef\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\files\dev\libs\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\hi_contrast\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\hi_contrast\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app-api\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app-api\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\microsoftGraph\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\require\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\require\2.1.15\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\misc\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themeless_Reader\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\ccpdf\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\images\themeless\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\collect_feedback\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\collect_feedback\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\collect_feedback\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ar-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\he-il\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\dc-annotations\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini	Jump to behavior

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: 1.exe, 00000000.00000003.2288712461.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
Source:	Binary string: NisSrv.pdb source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: 1.exe, 00000000.00000003.2072838492.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: 1.exe, 00000000.00000003.2073003378.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroCEF\AcroCEF.pdbI source: 1.exe, 00000000.00000003.2086159442.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: plugin-container.pdb source: 1.exe, 00000000.00000003.2243476720.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: 1.exe, 00000000.00000003.2236451239.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: tnameserv.exe.0.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatExe.pdb source: 1.exe, 00000000.00000003.2069214748.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: 1.exe, 00000000.00000003.2072329052.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\initialexe\chrome.exe.pdb source: 1.exe, 00000000.00000003.2199695779.00000000042BC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: 1.exe, 00000000.00000003.2303685427.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, GoogleCrashHandler64.exe.0.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AdobeCollabSync.pdb# source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pingsender.pdb source: 1.exe, 00000000.00000003.2243142876.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\click2run\x-none\IntegratedOffice.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: 1.exe, 00000000.00000003.2270489248.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_acro.pdbT source: 1.exe, 00000000.00000003.2094191005.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: 1.exe, 00000000.00000003.2073003378.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: 1.exe, 00000000.00000003.2287533320.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, integrator.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
Source:	Binary string: private_browsing.pdb source: 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: 1.exe, 00000000.00000003.2072329052.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: 1.exe, 00000000.00000003.2299846343.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleCrashHandler_unsigned.pdb source: 1.exe, 00000000.00000003.2302768967.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: 1.exe, 00000000.00000002.4451156723.0000000002495000.00000004.00000020.00020000.00000000.sdmp, integrator.exe.0.dr
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: 1.exe, 00000000.00000003.2083949774.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: VSTOInstaller.pdb source: 1.exe, 00000000.00000003.2299284398.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, VSTOInstaller.exe.0.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\elevation_service.exe.pdb source: 1.exe, 00000000.00000003.2209901402.0000000004071000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: 1.exe, 00000000.00000003.2072167354.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: 1.exe, 00000000.00000003.2099466968.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jim\Desktop\metro research\ApplicationID\Release\ApplicationID.pdb source: 1.exe, 00000000.00000003.2246792271.00000000040B4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: 1.exe, 00000000.00000003.2097585988.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb source: 1.exe, 00000000.00000003.2073322688.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: 1.exe, 00000000.00000003.2091866454.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: 1.exe, 00000000.00000003.2238708126.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdate_unsigned.pdb source: 1.exe, 00000000.00000003.2304800992.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\setup.exe.pdb source: 1.exe, 00000000.00000003.2215777859.0000000004071000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: private_browsing.pdbp source: 1.exe, 00000000.00000003.2244245625.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: 1.exe, 00000000.00000003.2100872044.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: 1.exe, 00000000.00000003.2099192699.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: 1.exe, 00000000.00000003.2083949774.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb source: 1.exe, 00000000.00000003.2296957210.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\click2run\x-none\IntegratedOffice.pdb source: 1.exe, 00000000.00000003.2225154341.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_pwa_launcher.exe.pdb source: 1.exe, 00000000.00000003.2207469171.0000000004071000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: tnameserv.exe.0.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: 1.exe, 00000000.00000003.2099967561.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: 1.exe, 00000000.00000003.2240207923.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: 1.exe, 00000000.00000003.2085825576.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\AcrobatExe.pdb source: 1.exe, 00000000.00000003.2190991302.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: 1.exe, 00000000.00000003.2287533320.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: 1.exe, 00000000.00000003.2084471694.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleCrashHandler64_unsigned.pdbl source: 1.exe, 00000000.00000003.2303685427.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp, GoogleCrashHandler64.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb8 source: 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleCrashHandler_unsigned.pdbp source: 1.exe, 00000000.00000003.2302768967.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdb source: 1.exe, 00000000.00000003.2083187341.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\workspace\RT_Win_8_2\Mainline\public\binary\Win\x64\Release\LogTransport2.pdbTTNGCTL source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: minidump-analyzer.pdb source: 1.exe, 00000000.00000003.2241462892.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_proxy.exe.pdb source: 1.exe, 00000000.00000003.2205445463.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: orbd.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: 1.exe, 00000000.00000003.2296957210.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_acro.pdb source: 1.exe, 00000000.00000003.2094191005.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe_x64.pdb source: 1.exe, 00000000.00000003.2274244679.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\notification_helper.exe.pdb source: 1.exe, 00000000.00000003.2212956369.0000000004071000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: 1.exe, 00000000.00000003.2072470333.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: NisSrv.pdbGCTL source: 1.exe, 00000000.00000002.4451156723.00000000021C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb22 source: 1.exe, 00000000.00000003.2073322688.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: orbd.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
Source:	Binary string: default-browser-agent.pdb source: 1.exe, 00000000.00000003.2237302809.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: updater.pdb source: 1.exe, 00000000.00000003.2244536391.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: 1.exe, 00000000.00000003.2099192699.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AdobeCollabSync.pdb source: 1.exe, 00000000.00000003.2074834480.0000000004060000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000002.4451156723.00000000026BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: 1.exe, 00000000.00000003.2300597090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb source: 1.exe, 00000000.00000003.2301308090.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroCEF\AcroCEF.pdb source: 1.exe, 00000000.00000003.2086159442.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: 1.exe, 00000000.00000003.2084471694.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\mozilla-source\mozilla-central\other-licenses\nsis\Contrib\HttpPostFile\Release\HttpPostFile.pdb source: 1.exe, 00000000.00000003.2246792271.0000000004137000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdbQ source: 1.exe, 00000000.00000003.2083187341.0000000001FCC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\workspace\RT_Win_8_2\Mainline\public\binary\Win\x64\Release\LogTransport2.pdb source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00406A18 LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_00406A18

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .rsrc

PE file contains sections with non-standard names

Source: 1.exe	Static PE information: section name: .Upack
Source: rundl132.exe.0.dr	Static PE information: section name: .Upack
Source: AppSharingHookController64.exe.0.dr	Static PE information: section name: .Upack
Source: Dll.dll.0.dr	Static PE information: section name: .petite
Source: Dll.dll.0.dr	Static PE information: section name:
Source: Dll.dll.0.dr	Static PE information: section name:
Source: Dll.dll.0.dr	Static PE information: section name:
Source: SQLDumper.exe.0.dr	Static PE information: section name: .Upack
Source: Uninstall.exe.0.dr	Static PE information: section name: .Upack
Source: maintenanceservice.exe.0.dr	Static PE information: section name: .Upack
Source: jusched.exe.0.dr	Static PE information: section name: .Upack
Source: jucheck.exe.0.dr	Static PE information: section name: .Upack
Source: jaureg.exe.0.dr	Static PE information: section name: .Upack
Source: armsvc.exe.0.dr	Static PE information: section name: .Upack
Source: AdobeARMHelper.exe.0.dr	Static PE information: section name: .Upack
Source: VSTOInstaller.exe.0.dr	Static PE information: section name: .Upack
Source: javaws.exe.0.dr	Static PE information: section name: .Upack
Source: javaw.exe.0.dr	Static PE information: section name: .Upack
Source: java.exe.0.dr	Static PE information: section name: .Upack
Source: GoogleCrashHandler64.exe.0.dr	Static PE information: section name: .Upack
Source: GoogleCrashHandler.exe.0.dr	Static PE information: section name: .Upack
Source: GoogleUpdateOnDemand.exe.0.dr	Static PE information: section name: .Upack
Source: GoogleUpdateCore.exe.0.dr	Static PE information: section name: .Upack
Source: GoogleUpdateComRegisterShell64.exe.0.dr	Static PE information: section name: .Upack
Source: GoogleUpdateBroker.exe.0.dr	Static PE information: section name: .Upack
Source: GoogleUpdate.exe.0.dr	Static PE information: section name: .Upack
Source: java.exe0.0.dr	Static PE information: section name: .Upack
Source: java-rmi.exe.0.dr	Static PE information: section name: .Upack
Source: jabswitch.exe.0.dr	Static PE information: section name: .Upack
Source: javaws.exe0.0.dr	Static PE information: section name: .Upack
Source: javaw.exe0.0.dr	Static PE information: section name: .Upack
Source: javacpl.exe.0.dr	Static PE information: section name: .Upack
Source: rmiregistry.exe.0.dr	Static PE information: section name: .Upack
Source: pack200.exe.0.dr	Static PE information: section name: .Upack
Source: orbd.exe.0.dr	Static PE information: section name: .Upack
Source: ktab.exe.0.dr	Static PE information: section name: .Upack
Source: klist.exe.0.dr	Static PE information: section name: .Upack
Source: kinit.exe.0.dr	Static PE information: section name: .Upack
Source: keytool.exe.0.dr	Static PE information: section name: .Upack
Source: jp2launcher.exe.0.dr	Static PE information: section name: .Upack
Source: jjs.exe.0.dr	Static PE information: section name: .Upack
Source: rmid.exe.0.dr	Static PE information: section name: .Upack
Source: policytool.exe.0.dr	Static PE information: section name: .Upack
Source: unpack200.exe.0.dr	Static PE information: section name: .Upack
Source: tnameserv.exe.0.dr	Static PE information: section name: .Upack
Source: ssvagent.exe.0.dr	Static PE information: section name: .Upack
Source: servertool.exe.0.dr	Static PE information: section name: .Upack
Source: integrator.exe.0.dr	Static PE information: section name: .Upack
Source: MSOHTMED.EXE.0.dr	Static PE information: section name: .Upack
Source: LICLUA.EXE.0.dr	Static PE information: section name: .Upack

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0040507C push 00405188h; ret	0_2_00405180
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0040502C push 00405058h; ret	0_2_00405050
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0040403C push 0040408Dh; ret	0_2_00404085
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_004078F4 push 00407920h; ret	0_2_00407918
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0040792C push 00407958h; ret	0_2_00407950
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0040426C push 00404298h; ret	0_2_00404290
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00407AD4 push 00407B20h; ret	0_2_00407B18
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_004042A4 push 004042D0h; ret	0_2_004042C8
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404B50 push 00404B7Ch; ret	0_2_00404B74
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00407BEC push 00407C18h; ret	0_2_00407C10
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00406BA4 push 00406BD0h; ret	0_2_00406BC8
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404BAE push 00404BDCh; ret	0_2_00404BD4
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404BB0 push 00404BDCh; ret	0_2_00404BD4
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00405C44 push 00405C70h; ret	0_2_00405C68
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_004054E4 push 00405510h; ret	0_2_00405508
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_004054AC push 004054D8h; ret	0_2_004054D0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0040552A push 00405558h; ret	0_2_00405550
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0040552C push 00405558h; ret	0_2_00405550
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404E75 push 00404EC8h; ret	0_2_00404EC0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404E7C push 00404EC8h; ret	0_2_00404EC0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404608 push 00404634h; ret	0_2_0040462C
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404ECA push 00404F2Fh; ret	0_2_00404F27
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404ECC push 00404F2Fh; ret	0_2_00404F27
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00406E98 push 00406EC4h; ret	0_2_00406EBC
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404F29 push 00404F2Fh; ret	0_2_00404F27
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404FF4 push 00405020h; ret	0_2_00405018
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_004067A4 push 004067E6h; ret	0_2_004067DE
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_004057AA push 004057D8h; ret	0_2_004057D0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_004057AC push 004057D8h; ret	0_2_004057D0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00412CE0 push 00412D39h; ret	0_2_00412D31
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00412CDE push 00412D39h; ret	0_2_00412D31

Source: 1.exe	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: rundl132.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: AppSharingHookController64.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: Dll.dll.0.dr	Static PE information: section name: .petite entropy: 7.8822889544063
Source: SQLDumper.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: Uninstall.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.857432355462329
Source: maintenanceservice.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: jusched.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.890784772459498
Source: jucheck.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.86796165586835
Source: jaureg.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.878304669434353
Source: armsvc.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.880507599121225
Source: AdobeARMHelper.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.9570525738931766
Source: VSTOInstaller.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: javaws.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.86796165586835
Source: javaw.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.86796165586835
Source: java.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.86796165586835
Source: GoogleCrashHandler64.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: GoogleCrashHandler.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.892629602364019
Source: GoogleUpdateOnDemand.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.892629602364019
Source: GoogleUpdateCore.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.892629602364019
Source: GoogleUpdateComRegisterShell64.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: GoogleUpdateBroker.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.892629602364019
Source: GoogleUpdate.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.892629602364019
Source: java.exe0.0.dr	Static PE information: section name: .rsrc entropy: 7.86796165586835
Source: java-rmi.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: jabswitch.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: javaws.exe0.0.dr	Static PE information: section name: .rsrc entropy: 7.86796165586835
Source: javaw.exe0.0.dr	Static PE information: section name: .rsrc entropy: 7.86796165586835
Source: javacpl.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.86796165586835
Source: rmiregistry.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: pack200.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: orbd.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: ktab.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: klist.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: kinit.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: keytool.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: jp2launcher.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: jjs.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: rmid.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: policytool.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: unpack200.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: tnameserv.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: ssvagent.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: servertool.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: integrator.exe.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: MSOHTMED.EXE.0.dr	Static PE information: section name: .rsrc entropy: 7.883969322730811
Source: LICLUA.EXE.0.dr	Static PE information: section name: .rsrc entropy: 7.959227025520099

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Windows\rundl132.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Windows\Dll.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\1.exe

File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\1.exe	File created: C:\Windows\rundl132.exe			Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Windows\Dll.dll			Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\1.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows load

Jump to behavior

Uses net.exe to stop services

Source: C:\Users\user\Desktop\1.exe

Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Users\user\Desktop\1.exe

File created: C:\$Recycle.Bin\_desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\1.exe	Window / User API: threadDelayed 1961	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Window / User API: threadDelayed 7490	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 879	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 873	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Windows\Dll.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\1.exe

Evasive API call chain: GetLocalTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\1.exe TID: 1868	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1.exe TID: 1868	Thread sleep time: -196100s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1.exe TID: 1868	Thread sleep time: -749000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\1.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404A80 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_00404A80
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00404A7E FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_00404A7E
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00412274 FindFirstFileA,FindNextFileA,FindFirstFileA,FindNextFileA,FindFirstFileA,Sleep,FindNextFileA,	0_2_00412274
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00412270 FindFirstFileA,FindNextFileA,FindFirstFileA,FindNextFileA,FindFirstFileA,Sleep,FindNextFileA,	0_2_00412270

Source: C:\Users\user\Desktop\1.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: explorer.exe, 00000008.00000000.2032781472.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000008.00000003.3097392066.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000008.00000000.2035366718.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4467406438.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000008.00000003.3097392066.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000008.00000000.2035366718.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000008.00000003.3097392066.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.2035366718.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000008.00000000.2031787683.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: 1.exe, 00000000.00000003.2190991302.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \Adobe\AdobeGCClient"\Adobe\AdobeGCClient\AGCInvokerUtility.exe\AGCInvokerUtility.exe --appID= --appVersion= --appProfileScope= --appPath=x-request-idROOT\CIMV2SELECT * FROM Win32_ComputerSystemWQLHypervisorPresentManufacturerModelVMwareVirtualBoxXenQEMUGoogleVirtualOpenStackSELECT * FROM Win32_ComputerSystemProductUUIDEC2lFnIsWow64Process2 not availablex64ARM64UnknownPROCESSOR_LEVELPROCESSOR_REVISION\\.\PhysicalDrive0%ProgramW6432%\Common FilesAdobe
Source: explorer.exe, 00000008.00000003.3097392066.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000008.00000000.2031787683.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000008.00000000.2031002716.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000008.00000000.2032781472.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000008.00000002.4467406438.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2035366718.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 1.exe, 00000000.00000002.4448360463.0000000000480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: explorer.exe, 00000008.00000000.2031787683.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000008.00000000.2031787683.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000008.00000003.3097392066.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: 1.exe, 00000000.00000002.4448360463.0000000000480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllmswsock.dll
Source: explorer.exe, 00000008.00000000.2031002716.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000008.00000000.2035366718.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000002.4459812498.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\1.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\1.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00406A18 LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_00406A18

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\1.exe	Memory allocated: C:\Windows\explorer.exe base: 1230000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Memory allocated: C:\Windows\explorer.exe base: 1240000 protect: page read and write			Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\Desktop\1.exe	Memory written: PID: 1028 base: 1240000 value: 43			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Memory written: PID: 1028 base: 1230000 value: B8			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\1.exe	Memory written: C:\Windows\explorer.exe base: 1240000			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Memory written: C:\Windows\explorer.exe base: 1230000			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"			Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"			Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00410494 LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,AllocateAndInitializeSid,AllocateAndInitializeSid,

0_2_00410494

Source: 1.exe, 00000000.00000003.2267949785.0000000004138000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorer.exe, 00000008.00000002.4470629782.0000000009BE4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3792018335.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3096212506.0000000009B7A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000008.00000000.2031428214.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.4449273187.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.2032483601.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.2031428214.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.4449273187.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.2031428214.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.4449273187.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: 1.exe, 00000000.00000003.2282074477.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX
Source: 1.exe, 00000000.00000003.2069214748.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 IS_COEX_REPAIR=1 /qn/qb REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 BROADCASTCEFRELOAD=1 \/0\cef_/qn CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /i msiexec.exe/i ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn.msiexec.exe/i ADDLOCAL=OptionalFeatures,DistillerCJKNative,DistillerCJKSupport,PaperCaptureOptional,PreFlightPlugin DISABLE_FIU_CHECK=1 TRANSITION_INSTALL_MODE=4 SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn\msiexec.exeSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList\MRUListAcrobat.exeMRUListAppDoNotTakePDFOwnershipAtLaunch\\\AppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\RtlGetVersionntdll.dllAdobe Systems, IncorporatedAdobe Inc.Adobe Systems Incorporated1.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1kernel32IsWow64ProcessSystem\CurrentControlSet\Control\CitrixProductVersionNumSoftware\Adobe\Acrobat\ExeSoftware\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Acrobat /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770/\Click on 'Change' to select default PDF handler#32770ADelRCP.exepropertiesClick on 'Change' to select default PDF handler.pdfShowAppPickerForPDF.exeProgram ManagerPROGMANApplicationClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#3277012Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice.0Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice\InstallerSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfSOFTWARE\Adobe\Acrobat Reader\12{A6EADE66-0000-0000-484E-7E8A45000000}{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinorVersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\.0SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\PATHVersionMajorVersionMinor7760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderDCSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\\InstallerSOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\ENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdf{AC76BA86-0000-00
Source: explorer.exe, 00000008.00000000.2031428214.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.4449273187.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000000.2031002716.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.4446753251.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman
Source: 1.exe, 00000000.00000003.2190991302.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {A6EADE66-0000-0000-484E-7E8A45000000}SOFTWARE\Adobe\Acrobat Reader\{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinor12VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0\InstallerPATHVersionMajorVersionMinor1207760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\.0DC\InstallerENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdf{AC76BA86-0000-0000-7760-7E8A45000000}TrunkBetaDCVersionMajorSOFTWARE\Google\Chrome\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajSOFTWARE\Google\Chrome\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapturehttps://clients2.google.com/service/update2/crxupdate_urlBrowser\WCChromeExtn\manifest.jsonSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkajAcrobat.Document.SOFTWARE\Google\Chrome\NativeMessagingHosts\Acrobat.Document.11.pdfcom.adobe.acrobat.chrome_webcaptureSOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj.VersionMajor{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\DC\InstallerLowerCoExVersionCoExRepairDone\RDCNotificationAppx\ADCNotificationAppx\NotificationAppxSOFTWARE\Adobe\Adobe Acrobat\\DC\SOFTWARE\Adobe\Adobe Acrobat\\DC\Installer\AppVersionAppVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionReleaseId/i msiexec.exe REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 IS_COEX_REPAIR=1 /qnBROADCASTCEFRELOAD=1 REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 /qb\/\cef_ CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /qn/i msiexec.exe ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exe ADDLOCAL=OptionalFeatures,DistillerCJKNative,DistillerCJKSupport,PaperCaptureOptional,PreFlightPlugin DISABLE_FIU_CHECK=1 TRANSITION_INSTALL_MODE=4 SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn/i msiexec.exeAppDoNotTakePDFOwnershipAtLaunchSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithListMRUListAcrobat.exeMRUListAppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\RtlGetVersionntdll.dllAdobe Systems, IncorporatedAdobe Inc.Adobe Systems Incorporated1.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1kernel32IsWow64ProcessSystem\CurrentControlSet\Control\CitrixProdu

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\notepad.exe

Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_desktop.ini VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

0_2_00408E18

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00410494 LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,AllocateAndInitializeSid,AllocateAndInitializeSid,

0_2_00410494

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00404091 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

0_2_00404091

Lowering of HIPS / PFW / Operating System Security Settings

Disables security and backup related services

Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\net.exe net stop "Kingsoft AntiVirus Service"	Jump to behavior

OS version to string mapping found (often used in BOTs)

Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\workspace\RT_Win_8_2\Mainline\Headlights\LogTransport\main\Application\source\xplat\Uploader.cpp
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <AdobeIP#0000682>D:\workspace\RT_Win_8_2\Mainline\Headlights\LogTransport\main\Application\source\xplat\LogTransportDriver.cppLogTransUtils::GetUserLogFullPath emptysUsrConfigemptysSonarEmptysPersonGuid emptyGet Sonar from server, Sonar: %0a%0d\-110SOFTWARE\Policies\Adobe\APIPHLSOFTWARE\Policies\Adobe\APIPCCenabledActiveKillHibernateoptstateGet config Response Headers:]:[imsnakilloptoutOptstate doesn't have a valid value, will retryPIIP server is not available to fetch user's optstate right now, will retryKill switch enabled from receiver, deleting all the highbeam logs created on this machineOptstate is Opt out, deleting logsOptstate is Opt in, will upload logsGet Config from server, config: .xml.rdy.tmpprocessFiles failureGetSonarFile failedGetConfigFile failedLog upload failed and Going to sleepMove Low Right Logs...\Adobe\LogTransport2CC\Logs\].] to [Moving file [Commandline Arguments: ] = argv[Get Resource Locker failNo person GUID passed in, will exit.Anonymous user logs will be sent to headlights receiversSigned in user logs will be sent to highbeam receiversGet user data failInstaller kill switch is enabled!, ulogstatus=, url=, retryinterval=, maxretries=: maxdiskspace=Local configTry to send logsTry to send pre-release logs only as status is killcfInfo.msUlogStatus != LOGTRANSPORTLIB_ACTIVEException happensHouse keepingException happens in HouseKeeping------return in main------LogTranpsport received signal to shut downMemory allocation fails!tlog.log, File size is more than the thresholdDeleting log file Upload started for Upload succeeded for Exception: In Upload fileMaxTransportRetriesMessageSendIntervalBaseUrlMaxOfflineStoreSizeHousekeepingDiscardSessionsCrashDetectionTimeMaxNetworkRetryIntervalNo real time data available in offline db nowdeque<T> too longAdobe\LogTransport2CCAdobe\RTTransfer\Logs\Adobe\RTTransfer\sonar_policy.xml\RTTransfer.configABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/Open registry with key: with key: Query registry value with key: Create registry entry with key: Set registry value
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: LogTransportClose HTTP connection!D:\workspace\RT_Win_8_2\Mainline\Headlights\LogTransport\main\Application\source\xplat\Uploader.cpp
Source: 1.exe, 00000000.00000003.2267949785.0000000004138000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\workspace\RT_Win_8_2\Mainline\public\binary\Win\x64\Release\LogTransport2.pdbTTNGCTL
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\workspace\RT_Win_8_2\Mainline\Headlights\LogTransport\main\Application\source\xplat\LogTransportDriver.cpp
Source: 1.exe, 00000000.00000003.2084739962.0000000004060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: D:\workspace\RT_Win_8_2\Mainline\public\binary\Win\x64\Release\LogTransport2.pdb

Remote Access Functionality

Yara detected Hancitor

Source: Yara match

File source: Process Memory Space: 1.exe PID: 4324, type: MEMORYSTR

ID:	1430913
Product:	CloudBasic
Start time:	11:05:05
Start date:	24.04.2024
Sample:	1.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0eac667cbce1c13116b0a40908d8695f
SHA1:	e1212710726edd46307071c651fbaa8847b6c6a1
SHA256:	02c2d998d15695f75ee2768a4fc0cbc30898ef772ae081518d1fc78b5e1decbb
Filetype:	Win32 Executable (generic) a (10002005/4) 99.98%

Windows Analysis Report
1.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report 1.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
1.exe

Malware Threat Intel
Provided by