Edit tour

Windows Analysis Report
.....scr.exe

Overview

General Information

Sample name:	.....scr.exe renamed because original name is a hash value
Original sample name:	-ICS2 (00000002).pdf.................................................................................................scr.exe
Analysis ID:	1629757
MD5:	efa99a14cc37d38f81657dc8205e0a0d
SHA1:	d488f73af3fc96272ed24d44a8d74f8198d1ca5d
SHA256:	f4048c147a758eb5413a885a12c69fa5cd1b61668ae668942bcb7892e7f62584
Tags:	exeRemcosRATuser-threatcat_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates autostart registry keys with suspicious names

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

.....scr.exe (PID: 3020 cmdline: "C:\Users\user\Desktop\.....scr.exe" MD5: EFA99A14CC37D38F81657DC8205E0A0D)

.....scr.exe (PID: 3632 cmdline: "C:\Users\user\Desktop\.....scr.exe" MD5: EFA99A14CC37D38F81657DC8205E0A0D)

Adobe.exe (PID: 7016 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: EFA99A14CC37D38F81657DC8205E0A0D)

Adobe.exe (PID: 1620 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: EFA99A14CC37D38F81657DC8205E0A0D)

recover.exe (PID: 7184 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ixoeircctyzseqmajwlmbdixt" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7192 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ixoeircctyzseqmajwlmbdixt" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7208 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kzbobknwghsxhwambgyfeidgcdcz" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7220 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kzbobknwghsxhwambgyfeidgcdcz" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7228 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\vuhhccxycpkkrdwqkrshpuxxksmimfv" MD5: D38B657A068016768CA9F3B5E100B472)

Adobe.exe (PID: 7288 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: EFA99A14CC37D38F81657DC8205E0A0D)

Adobe.exe (PID: 7328 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: EFA99A14CC37D38F81657DC8205E0A0D)

Adobe.exe (PID: 7336 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: EFA99A14CC37D38F81657DC8205E0A0D)

Adobe.exe (PID: 7696 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: EFA99A14CC37D38F81657DC8205E0A0D)

Adobe.exe (PID: 7752 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: EFA99A14CC37D38F81657DC8205E0A0D)

backgroundTaskHost.exe (PID: 7752 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: DA7063B17DBB8BBB3015351016868006)

Adobe.exe (PID: 7792 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: EFA99A14CC37D38F81657DC8205E0A0D)

Adobe.exe (PID: 7828 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: EFA99A14CC37D38F81657DC8205E0A0D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe-Reader-DTANWR", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobe-Reader", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.1837463304.000000000163A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000004.00000002.4168027891.0000000000E57000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.1726704777.0000000000E3A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000015.00000002.1999906863.0000000001478000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000013.00000002.1923461971.00000000011EA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000006.00000002.1789234219.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000004.00000002.4169554957.0000000003AA0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
00000000.00000002.1723966627.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.1723966627.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1723966627.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1723966627.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c6c8:$a1: Remcos restarted by watchdog! 0xe62e8:$a1: Remcos restarted by watchdog! 0x15fb28:$a1: Remcos restarted by watchdog! 0x6cd18:$a3: %02i:%02i:%02i:%03i 0xe6938:$a3: %02i:%02i:%02i:%03i 0x160178:$a3: %02i:%02i:%02i:%03i
Process Memory Space: .....scr.exe PID: 3020	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: .....scr.exe PID: 3020	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: .....scr.exe PID: 3020	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: .....scr.exe PID: 3020	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: .....scr.exe PID: 3020	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x3a71d:$a1: Remcos restarted by watchdog! 0x3ad72:$a3: %02i:%02i:%02i:%03i 0x3b1af:$a3: %02i:%02i:%02i:%03i
Process Memory Space: .....scr.exe PID: 3632	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: .....scr.exe PID: 3632	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: .....scr.exe PID: 3632	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: .....scr.exe PID: 3632	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x160ce:$a1: Remcos restarted by watchdog! 0x16723:$a3: %02i:%02i:%02i:%03i 0x16b60:$a3: %02i:%02i:%02i:%03i
Process Memory Space: Adobe.exe PID: 7016	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Adobe.exe PID: 1620	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Adobe.exe PID: 1620	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: recover.exe PID: 7192	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Adobe.exe PID: 7288	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Adobe.exe PID: 7336	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Adobe.exe PID: 7696	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Adobe.exe PID: 7752	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Adobe.exe PID: 7792	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Adobe.exe PID: 7828	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.recover.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2......scr.exe.3873590.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2......scr.exe.3873590.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2......scr.exe.3873590.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2......scr.exe.3873590.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a358:$a1: Remcos restarted by watchdog! 0x6a9a8:$a3: %02i:%02i:%02i:%03i
0.2......scr.exe.3873590.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x645f4:$str_a1: C:\Windows\System32\cmd.exe 0x64570:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64570:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x650d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64664:$str_b2: Executing file: 0x6549c:$str_b3: GetDirectListeningPort 0x64ec8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65048:$str_b7: \update.vbs 0x6468c:$str_b9: Downloaded file: 0x64678:$str_b10: Downloading file: 0x6471c:$str_b12: Failed to upload file: 0x65464:$str_b13: StartForward 0x65484:$str_b14: StopForward 0x64fa0:$str_b15: fso.DeleteFile " 0x64f34:$str_b16: On Error Resume Next 0x64fd0:$str_b17: fso.DeleteFolder " 0x6470c:$str_b18: Uploaded file: 0x646cc:$str_b19: Unable to delete: 0x64f68:$str_b20: while fso.FileExists(" 0x64ba9:$str_c0: [Firefox StoredLogins not found]
0.2......scr.exe.3873590.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x644e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64478:$s1: CoGetObject 0x6448c:$s1: CoGetObject 0x644a8:$s1: CoGetObject 0x6e256:$s1: CoGetObject 0x64438:$s2: Elevation:Administrator!new:
4.2.Adobe.exe.3aa0000.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2......scr.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2......scr.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2......scr.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2......scr.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
2.2......scr.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
2.2......scr.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
6.2.recover.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2......scr.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2......scr.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2......scr.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2......scr.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
2.2......scr.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
2.2......scr.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
0.2......scr.exe.37f9970.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2......scr.exe.37f9970.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2......scr.exe.37f9970.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2......scr.exe.37f9970.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a358:$a1: Remcos restarted by watchdog! 0x6a9a8:$a3: %02i:%02i:%02i:%03i
0.2......scr.exe.37f9970.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x645f4:$str_a1: C:\Windows\System32\cmd.exe 0x64570:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64570:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x650d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64664:$str_b2: Executing file: 0x6549c:$str_b3: GetDirectListeningPort 0x64ec8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65048:$str_b7: \update.vbs 0x6468c:$str_b9: Downloaded file: 0x64678:$str_b10: Downloading file: 0x6471c:$str_b12: Failed to upload file: 0x65464:$str_b13: StartForward 0x65484:$str_b14: StopForward 0x64fa0:$str_b15: fso.DeleteFile " 0x64f34:$str_b16: On Error Resume Next 0x64fd0:$str_b17: fso.DeleteFolder " 0x6470c:$str_b18: Uploaded file: 0x646cc:$str_b19: Unable to delete: 0x64f68:$str_b20: while fso.FileExists(" 0x64ba9:$str_c0: [Firefox StoredLogins not found]
0.2......scr.exe.37f9970.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x644e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64478:$s1: CoGetObject 0x6448c:$s1: CoGetObject 0x644a8:$s1: CoGetObject 0x6e256:$s1: CoGetObject 0x64438:$s2: Elevation:Administrator!new:
4.2.Adobe.exe.3aa0000.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2......scr.exe.3873590.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2......scr.exe.3873590.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2......scr.exe.3873590.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2......scr.exe.3873590.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0xe5598:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i 0xe5be8:$a3: %02i:%02i:%02i:%03i
0.2......scr.exe.3873590.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdf728:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0xdf6b8:$s1: CoGetObject 0xdf6cc:$s1: CoGetObject 0xdf6e8:$s1: CoGetObject 0xe9496:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new: 0xdf678:$s2: Elevation:Administrator!new:
0.2......scr.exe.37f9970.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2......scr.exe.37f9970.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2......scr.exe.37f9970.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2......scr.exe.37f9970.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0xe5978:$a1: Remcos restarted by watchdog! 0x15f1b8:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i 0xe5fc8:$a3: %02i:%02i:%02i:%03i 0x15f808:$a3: %02i:%02i:%02i:%03i
0.2......scr.exe.37f9970.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdfb08:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x159348:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0xdfa98:$s1: CoGetObject 0xdfaac:$s1: CoGetObject 0xdfac8:$s1: CoGetObject 0xe9876:$s1: CoGetObject 0x1592d8:$s1: CoGetObject 0x1592ec:$s1: CoGetObject 0x159308:$s1: CoGetObject 0x1630b6:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new: 0xdfa58:$s2: Elevation:Administrator!new: 0x159298:$s2: Elevation:Administrator!new:
Click to see the 33 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe-Reader\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\.....scr.exe, ProcessId: 3632, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-Reader-DTANWR

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe-Reader\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\.....scr.exe, ProcessId: 3632, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-Reader-DTANWR

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T07:10:14.236526+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49739	104.250.180.178	7902	TCP
2025-03-05T07:10:15.611537+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7902	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T07:10:15.795459+0100	2803304	3	Unknown Traffic	192.168.2.4	49742	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1723966627.00000000037F9000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe-Reader-DTANWR", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobe-Reader", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Adobe-Reader\Adobe.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: .....scr.exe	Virustotal: Detection: 33%			Perma Link
Source: .....scr.exe	ReversingLabs: Detection: 28%

Yara detected Remcos RAT

Source: Yara match	File source: 0.2......scr.exe.3873590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.37f9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.3873590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.37f9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1837463304.000000000163A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4168027891.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1726704777.0000000000E3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1999906863.0000000001478000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1923461971.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723966627.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7828, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

2_2_00433B64

Source: .....scr.exe, 00000000.00000002.1723966627.00000000037F9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_2e8c1177-c

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2......scr.exe.3873590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.37f9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.3873590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.37f9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723966627.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3632, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00406ABC _wcslen,CoGetObject,

2_2_00406ABC

Source: .....scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: .....scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: VyWc.pdbSHA256R source: .....scr.exe, Adobe.exe.2.dr
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: Adobe.exe, 00000004.00000002.4169554957.0000000003AA0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000006.00000002.1789234219.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: VyWc.pdb source: .....scr.exe, Adobe.exe.2.dr

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	2_2_004090DC
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_0040B6B5
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	2_2_0041C7E5
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	2_2_0040B8BA
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	2_2_00408CDE
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	2_2_00419CEE
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	2_2_00407EDD
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00406F13 FindFirstFileW,FindNextFileW,	2_2_00406F13
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_100010F1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0040B477 FindFirstFileW,FindNextFileW,	6_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	8_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	9_2_00407898

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

2_2_00407357

Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49739 -> 104.250.180.178:7902
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49741 -> 104.250.180.178:7902

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 104.250.180.178

Source: global traffic

TCP traffic: 192.168.2.4:49739 -> 104.250.180.178:7902

Source: global traffic

TCP traffic: 192.168.2.4:57574 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 104.250.180.178 104.250.180.178
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49742 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_004062E2 ShellExecuteW,URLDownloadToFileW,

2_2_004062E2

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Adobe.exe, 00000004.00000002.4169554957.0000000003AA0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000006.00000002.1789234219.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Adobe.exe, 00000004.00000002.4169554957.0000000003AA0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000006.00000002.1789234219.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Adobe.exe, 00000004.00000002.4170562783.0000000003C80000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1780932500.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: Adobe.exe, 00000004.00000002.4170562783.0000000003C80000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1780932500.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: recover.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: recover.exe, 00000006.00000003.1788789861.000000000346D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: irect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: recover.exe, 00000006.00000003.1788789861.000000000346D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: irect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: Adobe.exe, 00000004.00000002.4168263026.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: Adobe.exe, 00000004.00000002.4168263026.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000004.00000002.4168263026.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: .....scr.exe, 00000000.00000002.1723966627.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, .....scr.exe, 00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: Adobe.exe, 00000004.00000002.4168263026.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpk
Source: Adobe.exe, 00000004.00000002.4168027891.0000000000E57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpy
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0Q
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://ocspx.digicert.com0E
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: Adobe.exe, 00000004.00000002.4170562783.0000000003C80000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1780932500.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Adobe.exe, 00000004.00000002.4170562783.0000000003C80000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000003.1780776987.000000000332D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000003.1780724013.000000000332D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000002.1780932500.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: Adobe.exe, 00000004.00000002.4170562783.0000000003C80000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1780932500.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: Adobe.exe, 00000004.00000002.4170562783.0000000003C80000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1780932500.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: recover.exe, 00000009.00000003.1780776987.000000000332D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000003.1780724013.000000000332D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comta
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
Source: recover.exe, 00000006.00000002.1789370083.0000000002EAF000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: recover.exe, 00000009.00000002.1780932500.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: .....scr.exe, 00000000.00000002.1729217127.0000000006962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: recover.exe, 00000006.00000003.1788789861.000000000346D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
Source: recover.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Adobe.exe, 00000004.00000002.4170562783.0000000003C80000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1780932500.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: recover.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhvBFCA.tmp.6.dr	String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,00000000

2_2_00409D1E

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

2_2_0040B158

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	2_2_0041696E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	6_2_00409E39
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	6_2_00409EA1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	8_2_00406DFC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	8_2_00406E9F
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	9_2_004068B5
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	9_2_004072B5

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

2_2_0040B158

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

2_2_00409E4A

Source: Yara match	File source: 0.2......scr.exe.3873590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.37f9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.3873590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.37f9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723966627.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3632, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2......scr.exe.3873590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.37f9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.3873590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.37f9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1837463304.000000000163A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4168027891.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1726704777.0000000000E3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1999906863.0000000001478000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1923461971.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723966627.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7828, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041CF2D SystemParametersInfoW,

2_2_0041CF2D

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2......scr.exe.3873590.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2......scr.exe.3873590.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2......scr.exe.3873590.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2......scr.exe.37f9970.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2......scr.exe.37f9970.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2......scr.exe.37f9970.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2......scr.exe.3873590.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2......scr.exe.3873590.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2......scr.exe.37f9970.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2......scr.exe.37f9970.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1723966627.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: .....scr.exe PID: 3020, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: .....scr.exe PID: 3632, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	6_2_0040BAE3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_004016FD NtdllDefWindowProc_A,	8_2_004016FD
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_004017B7 NtdllDefWindowProc_A,	8_2_004017B7
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00402CAC NtdllDefWindowProc_A,	9_2_00402CAC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00402D66 NtdllDefWindowProc_A,	9_2_00402D66

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress,

2_2_00416861

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_06F187F1	0_2_06F187F1
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_06F1A728	0_2_06F1A728
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_06F1A71A	0_2_06F1A71A
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_06F1B0D8	0_2_06F1B0D8
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_06F19080	0_2_06F19080
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_06F18C48	0_2_06F18C48
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_06F18810	0_2_06F18810
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_087B618C	0_2_087B618C
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_087B6183	0_2_087B6183
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_087B73B7	0_2_087B73B7
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_087B73A8	0_2_087B73A8
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0042809D	2_2_0042809D
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0045412B	2_2_0045412B
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004421C0	2_2_004421C0
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004281D7	2_2_004281D7
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043E1E0	2_2_0043E1E0
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0041E29B	2_2_0041E29B
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004373DA	2_2_004373DA
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00438380	2_2_00438380
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00453472	2_2_00453472
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0042747E	2_2_0042747E
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043E43D	2_2_0043E43D
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004325A1	2_2_004325A1
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043774C	2_2_0043774C
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0041F809	2_2_0041F809
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004379F6	2_2_004379F6
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004279F5	2_2_004279F5
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0044DAD9	2_2_0044DAD9
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00433C73	2_2_00433C73
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00413CA0	2_2_00413CA0
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00437CBD	2_2_00437CBD
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043DD82	2_2_0043DD82
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00435F52	2_2_00435F52
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00437F78	2_2_00437F78
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043DFB1	2_2_0043DFB1
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_074DA71B	3_2_074DA71B
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_074DA728	3_2_074DA728
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_074D87F0	3_2_074D87F0
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_074DB0D8	3_2_074DB0D8
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_074D9080	3_2_074D9080
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_074D8C48	3_2_074D8C48
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_074D8810	3_2_074D8810
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_1000B5C1	4_2_1000B5C1
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_10013631	4_2_10013631
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0044A030	6_2_0044A030
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0040612B	6_2_0040612B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0043E13D	6_2_0043E13D
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0044B188	6_2_0044B188
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_00442273	6_2_00442273
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0044D380	6_2_0044D380
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0044A5F0	6_2_0044A5F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_004125F6	6_2_004125F6
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_004065BF	6_2_004065BF
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_004086CB	6_2_004086CB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_004066BC	6_2_004066BC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0044D760	6_2_0044D760
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_00405A40	6_2_00405A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_00449A40	6_2_00449A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_00405AB1	6_2_00405AB1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_00405B22	6_2_00405B22
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0044ABC0	6_2_0044ABC0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_00405BB3	6_2_00405BB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_00417C60	6_2_00417C60
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0044CC70	6_2_0044CC70
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_00418CC9	6_2_00418CC9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0044CDFB	6_2_0044CDFB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0044CDA0	6_2_0044CDA0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0044AE20	6_2_0044AE20
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_00415E3E	6_2_00415E3E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_00437F3B	6_2_00437F3B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_00405038	8_2_00405038
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_0041208C	8_2_0041208C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_004050A9	8_2_004050A9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_0040511A	8_2_0040511A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_0043C13A	8_2_0043C13A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_004051AB	8_2_004051AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_00449300	8_2_00449300
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_0040D322	8_2_0040D322
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_0044A4F0	8_2_0044A4F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_0043A5AB	8_2_0043A5AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_00413631	8_2_00413631
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_00446690	8_2_00446690
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_0044A730	8_2_0044A730
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_004398D8	8_2_004398D8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_004498E0	8_2_004498E0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_0044A886	8_2_0044A886
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_0043DA09	8_2_0043DA09
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_00438D5E	8_2_00438D5E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_00449ED0	8_2_00449ED0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_0041FE83	8_2_0041FE83
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_00430F54	8_2_00430F54
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004050C2	9_2_004050C2
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004014AB	9_2_004014AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00405133	9_2_00405133
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004051A4	9_2_004051A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00401246	9_2_00401246
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_0040CA46	9_2_0040CA46
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00405235	9_2_00405235
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004032C8	9_2_004032C8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00401689	9_2_00401689
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00402F60	9_2_00402F60
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 10_2_06D387F1	10_2_06D387F1
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 10_2_06D3A71B	10_2_06D3A71B
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 10_2_06D3A728	10_2_06D3A728
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 10_2_06D3B0D8	10_2_06D3B0D8
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 10_2_06D39080	10_2_06D39080
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 10_2_06D38C48	10_2_06D38C48
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 10_2_06D38810	10_2_06D38810
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 18_2_0718618C	18_2_0718618C
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 18_2_071873A8	18_2_071873A8
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 18_2_0718617D	18_2_0718617D
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 18_2_0726A728	18_2_0726A728
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 18_2_0726A71A	18_2_0726A71A
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 18_2_072687F2	18_2_072687F2
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 18_2_07269080	18_2_07269080
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 18_2_0726B0D8	18_2_0726B0D8
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 18_2_07268C48	18_2_07268C48
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 18_2_07268810	18_2_07268810
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 20_2_068A618C	20_2_068A618C
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 20_2_068A73A8	20_2_068A73A8
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 20_2_068A6183	20_2_068A6183
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 20_2_069887F2	20_2_069887F2
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 20_2_0698A71A	20_2_0698A71A
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 20_2_0698A728	20_2_0698A728
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 20_2_06989080	20_2_06989080
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 20_2_0698B0D8	20_2_0698B0D8
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 20_2_06988C48	20_2_06988C48
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 20_2_06988810	20_2_06988810

Source: C:\Users\user\Desktop\.....scr.exe	Code function: String function: 004351E0 appears 55 times
Source: C:\Users\user\Desktop\.....scr.exe	Code function: String function: 00401F96 appears 49 times
Source: C:\Users\user\Desktop\.....scr.exe	Code function: String function: 00401EBF appears 32 times
Source: C:\Users\user\Desktop\.....scr.exe	Code function: String function: 00434ACF appears 43 times
Source: C:\Users\user\Desktop\.....scr.exe	Code function: String function: 00402117 appears 39 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 0044DDB0 appears 33 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00418555 appears 34 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004186B6 appears 58 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004188FE appears 88 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00413025 appears 79 times

Source: .....scr.exe, 00000000.00000002.1723025724.000000000284F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs .....scr.exe
Source: .....scr.exe, 00000000.00000002.1721680675.000000000090E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs .....scr.exe
Source: .....scr.exe, 00000000.00000002.1723966627.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs .....scr.exe
Source: .....scr.exe, 00000000.00000002.1730018483.0000000006F20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs .....scr.exe
Source: .....scr.exe, 00000000.00000000.1695273189.00000000004AE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVyWc.exe" vs .....scr.exe
Source: .....scr.exe, 00000000.00000002.1730989856.0000000008A20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs .....scr.exe
Source: .....scr.exe, 00000002.00000002.1726704777.0000000000E90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs .....scr.exe
Source: .....scr.exe	Binary or memory string: OriginalFilenameVyWc.exe" vs .....scr.exe

Source: .....scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2......scr.exe.3873590.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2......scr.exe.3873590.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2......scr.exe.3873590.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2......scr.exe.37f9970.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2......scr.exe.37f9970.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2......scr.exe.37f9970.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2......scr.exe.3873590.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2......scr.exe.3873590.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2......scr.exe.37f9970.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2......scr.exe.37f9970.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1723966627.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: .....scr.exe PID: 3020, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: .....scr.exe PID: 3632, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: .....scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Adobe.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2......scr.exe.6f20000.4.raw.unpack, GTjYGZul74RN11n9RH.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2......scr.exe.6f20000.4.raw.unpack, GTjYGZul74RN11n9RH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2......scr.exe.6f20000.4.raw.unpack, GTjYGZul74RN11n9RH.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, GTjYGZul74RN11n9RH.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, GTjYGZul74RN11n9RH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, GTjYGZul74RN11n9RH.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, NoS06Kf2tT9iKtmmRd.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, NoS06Kf2tT9iKtmmRd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2......scr.exe.6f20000.4.raw.unpack, NoS06Kf2tT9iKtmmRd.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2......scr.exe.6f20000.4.raw.unpack, NoS06Kf2tT9iKtmmRd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@29/21@1/2

Source: C:\Windows\SysWOW64\recover.exe

Code function: 6_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

6_2_0041A225

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		2_2_00417AD9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,		9_2_00410DE1

Source: C:\Windows\SysWOW64\recover.exe

Code function: 6_2_0041A6AF GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

6_2_0041A6AF

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0040C03C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

2_2_0040C03C

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041B9AB FindResourceA,LoadResource,LockResource,SizeofResource,

2_2_0041B9AB

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_0041AC43

Source: C:\Users\user\Desktop\.....scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\.....scr.exe.log

Jump to behavior

Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Mutant created: NULL
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe-Reader-DTANWR

Source: C:\Windows\SysWOW64\recover.exe

File created: C:\Users\user\AppData\Local\Temp\bhvBFCA.tmp

Jump to behavior

Source: .....scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: .....scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\SysWOW64\recover.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Adobe.exe, 00000004.00000002.4169554957.0000000003AA0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000006.00000002.1789234219.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: recover.exe, recover.exe, 00000008.00000002.1778982453.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Adobe.exe, 00000004.00000002.4169554957.0000000003AA0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000006.00000002.1789234219.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Adobe.exe, 00000004.00000002.4169554957.0000000003AA0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000006.00000002.1789234219.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Adobe.exe, 00000004.00000002.4169554957.0000000003AA0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000006.00000002.1789234219.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Adobe.exe, 00000004.00000002.4169554957.0000000003AA0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000006.00000002.1789234219.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: recover.exe, 00000006.00000002.1789865280.0000000004B17000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000006.00000003.1789065224.0000000004B17000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000006.00000003.1788816830.0000000004B17000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000006.00000003.1788737298.0000000004B17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Adobe.exe, 00000004.00000002.4169554957.0000000003AA0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000006.00000002.1789234219.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: .....scr.exe	Virustotal: Detection: 33%
Source: .....scr.exe	ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\.....scr.exe

File read: C:\Users\user\Desktop\.....scr.exe

Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\.....scr.exe "C:\Users\user\Desktop\.....scr.exe"
Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\Users\user\Desktop\.....scr.exe "C:\Users\user\Desktop\.....scr.exe"
Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ixoeircctyzseqmajwlmbdixt"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ixoeircctyzseqmajwlmbdixt"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kzbobknwghsxhwambgyfeidgcdcz"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kzbobknwghsxhwambgyfeidgcdcz"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\vuhhccxycpkkrdwqkrshpuxxksmimfv"
Source: unknown	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
Source: unknown	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
Source: unknown	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\Users\user\Desktop\.....scr.exe "C:\Users\user\Desktop\.....scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ixoeircctyzseqmajwlmbdixt"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ixoeircctyzseqmajwlmbdixt"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kzbobknwghsxhwambgyfeidgcdcz"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kzbobknwghsxhwambgyfeidgcdcz"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\vuhhccxycpkkrdwqkrshpuxxksmimfv"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"

Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: version.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: dwrite.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: amsi.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: iconcodecservice.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: version.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: dwrite.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: amsi.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: iconcodecservice.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: biwinrt.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: slc.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: cdp.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: wincorlib.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windows.storage.applicationdata.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: threadpoolwinrt.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windows.applicationmodel.background.timebroker.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windows.applicationmodel.background.systemeventsbroker.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windows.web.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windows.security.authentication.web.core.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windows.services.targetedcontent.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: contentdeliverymanager.utilities.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: notificationcontrollerps.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: cryptowinrt.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: ncryptprov.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windows.web.http.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windows.networking.hostname.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: wosc.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: updatepolicy.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: profext.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: dcntel.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: utcutil.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: appraiser.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: wdscore.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: msi.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: version.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: tdh.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: certenroll.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: certca.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: dsparse.dll
Source: C:\Windows\System32\backgroundTaskHost.exe	Section loaded: mlang.dll

Source: C:\Users\user\Desktop\.....scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\.....scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: .....scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: .....scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: .....scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: VyWc.pdbSHA256R source: .....scr.exe, Adobe.exe.2.dr
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: Adobe.exe, 00000004.00000002.4169554957.0000000003AA0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000006.00000002.1789234219.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: VyWc.pdb source: .....scr.exe, Adobe.exe.2.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2......scr.exe.6f20000.4.raw.unpack, GTjYGZul74RN11n9RH.cs	.Net Code: Ao5GwqDY7J System.Reflection.Assembly.Load(byte[])
Source: 0.2......scr.exe.293f0d4.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2......scr.exe.8a20000.5.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, GTjYGZul74RN11n9RH.cs	.Net Code: Ao5GwqDY7J System.Reflection.Assembly.Load(byte[])
Source: 3.2.Adobe.exe.2fbf0d0.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: .....scr.exe

Static PE information: 0xA2801A61 [Tue May 23 10:45:53 2056 UTC]

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

2_2_0041D0CF

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_00CC4658 push edx; retf 0004h	0_2_00CC465A
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_00CC4790 push esi; retf 0004h	0_2_00CC4792
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_00CC4759 push esi; retf 0004h	0_2_00CC475A
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_06F1D621 push es; iretd	0_2_06F1D634
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_06F1B798 pushfd ; retf	0_2_06F1B799
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_06F1DE7F push 5604CFF8h; iretd	0_2_06F1DE5E
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_087B2FF8 push cs; retf	0_2_087B3006
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_087B2518 push cs; retf	0_2_087B2526
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004570CF push ecx; ret	2_2_004570E2
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00435226 push ecx; ret	2_2_00435239
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00457A00 push eax; ret	2_2_00457A1E
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_074DB798 pushfd ; retf	3_2_074DB799
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_10002806 push ecx; ret	4_2_10002819
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_10009FD8 push esi; ret	4_2_10009FD9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_00446B75 push ecx; ret	6_2_00446B85
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_00452BB4 push eax; ret	6_2_00452BC1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0044DDB0 push eax; ret	6_2_0044DDC4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0044DDB0 push eax; ret	6_2_0044DDEC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_0044B090 push eax; ret	8_2_0044B0A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_0044B090 push eax; ret	8_2_0044B0CC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_00444E71 push ecx; ret	8_2_00444E81
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00414060 push eax; ret	9_2_00414074
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00414060 push eax; ret	9_2_0041409C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00414039 push ecx; ret	9_2_00414049
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_004164EB push 0000006Ah; retf	9_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00416553 push 0000006Ah; retf	9_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00416555 push 0000006Ah; retf	9_2_004165C4
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 10_2_00CB4658 push edx; retn 0004h	10_2_00CB465A
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 10_2_00CB4790 push esi; retn 0004h	10_2_00CB4792
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 10_2_00CB4759 push esi; retn 0004h	10_2_00CB475A
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 10_2_06D3D621 push es; iretd	10_2_06D3D634

Source: .....scr.exe	Static PE information: section name: .text entropy: 7.8732587766966065
Source: Adobe.exe.2.dr	Static PE information: section name: .text entropy: 7.8732587766966065

Source: 0.2......scr.exe.6f20000.4.raw.unpack, GeiBFubblFj8mnku8e.cs	High entropy of concatenated method names: 'aFT8aZpbJF', 'BIa8Nf4f0U', 'Y0482Psnod', 'DDL8of6SC2', 'z8j8u061Nu', 'Cxm208icHe', 'nuA259h7oA', 'Ejj2m4B7vp', 'Ug42OJounF', 't4C2lU9JiZ'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, a87yfDDX6xcMIsc6wd.cs	High entropy of concatenated method names: 'g9wtR0B4CU', 'Y09t2605ff', 'm0Ft8BhqJ2', 'SCrtoRkO10', 'rn7tQnTyGM', 'Vd7tuG1pKn', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, NoS06Kf2tT9iKtmmRd.cs	High entropy of concatenated method names: 'DaNNcTcCeA', 'bTINSXEWkM', 'xaMNV9xcY2', 'q1FNKSN8ev', 'sNFN0OUMJ7', 'FphN5RsbEx', 'mXxNmiOIBS', 'jvyNO2Vl8Y', 'uN4NlLJ0s9', 'StbNDJhXeZ'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, yMfD4mmFbbMQPsZwAq.cs	High entropy of concatenated method names: 'uiOQPRv7b1', 'UUXQUtmVhx', 'V9ZQQ8K7L4', 'aUCQE19nki', 'DSqQhELOKx', 'ofnQ1WCLxN', 'Dispose', 'NTBg90nE5e', 'UN6gNpD8ur', 'fpVgR40ml9'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, iHU9iMTUvsfhXAtD6B.cs	High entropy of concatenated method names: 'N90okrI4jC', 'EBpoCq8TXH', 'NSeowGZAmf', 'RAGorMsW4a', 'vmnoAGWSSt', 'rNvoFV3P7s', 'aOcoBNVF3P', 'lZ5ofM7JYT', 'Ai4o7V0NIp', 'tPEoXH1BQs'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, jYxPlXlYeeEHXnni0v.cs	High entropy of concatenated method names: 'FH9Qb9ESVK', 'adSQxKgKvM', 'x9UQytJtZA', 'ypJQqxowqM', 'QYXQLeeZCy', 'EuDQYXXKBA', 'chvQe0RIas', 'cs0QsyjglI', 'flWQTZVSgZ', 'Eb7QjhbrBG'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, BfQpj7JMnBagLW0xHR9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hEWt6vYpGO', 'CI6tWkNB9J', 'XOctnji4Zc', 'SFUtcosFst', 'EREtS8FFRp', 'ldvtV5ZnQx', 'gHttKyRjNV'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, oiAPHT5NvROewsZcVm.cs	High entropy of concatenated method names: 'oilUOlSeZM', 'JKMUDvHfjV', 'GQ2gM3iXO9', 'hG8gJyptA1', 'mXHU6yiHj1', 'zPPUWxvAqI', 'RD0UnO8qHj', 'WEMUcuoBLY', 'mS3USUDNCx', 'ad1UV1n7yL'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, X5MZyCJJS2M06qG6QY1.cs	High entropy of concatenated method names: 'cPotDN4LO3', 'RW4tzf6WAh', 'WtvEMuqf1g', 'uXXEJQoUHq', 'TiIE4Imee4', 'PJSEvtWtpT', 'F6NEGlX784', 'QxgEavbwQS', 'VOTE9XdIll', 'pUvEN3BuyZ'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, hVIaCNG0OoQenR3STW.cs	High entropy of concatenated method names: 'RyjJooS06K', 'htTJu9iKtm', 'htQJHvRjDQ', 'wPAJ3SoQ8C', 'FiKJPAfxei', 'CFuJdblFj8', 'WU6Vyi6uYk9qFllsUI', 'rl25wvrX4qdNU0ErvE', 'IOHJJkIPKX', 'QRtJvt37ut'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, nhFfAfnt5GMwbevyym.cs	High entropy of concatenated method names: 'bMqpf7bUZN', 'YgBp7q06tX', 'TCdpbWKTQL', 'dYPpxQ8Kcf', 'lrdpqsjugO', 'aO1pLAJEPb', 'PDppeFk8Bg', 'pvNpsmvtWF', 'cAnpj2ZS1u', 'Y7jp6tuZod'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, sPAtmrNktdDCLYbJVb.cs	High entropy of concatenated method names: 'Dispose', 'FMQJlPsZwA', 'aIx4x5bwn3', 'i32ilFnF8n', 'IKyJDd3yRf', 'gJ4Jzp0UC3', 'ProcessDialogKey', 'WLo4MYxPlX', 'Kee4JEHXnn', 'w0v44J87yf'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, xBSAGkcxsjdJ4GNEfh.cs	High entropy of concatenated method names: 'qHfPjWASDk', 'z3JPWgcM5e', 'D90PcisVAS', 'QOkPS0D9tO', 'GjCPxiW8t2', 'Gi8PyjqwHA', 'ujBPqjIVJo', 'PtcPLdC778', 'p8xPYaa7Z2', 'eViPe0TDNA'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, LDZ5O27tQvRjDQiPAS.cs	High entropy of concatenated method names: 'AG8RrEBwxE', 'D7rRFQ05Y0', 'uUfRfWUely', 'WCTR70j3aM', 'u31RPl5v0O', 'HQqRdaQ4jc', 'J4TRUhUr3O', 'r6TRgoqfg3', 'MXnRQYBiWW', 'YJkRtVxYeF'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, yu1pe1JGCo3u6hIejOn.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PniIQRsxv3', 'pSQItqEoTw', 'P4JIEXEGpU', 'AZoIIvqQPb', 'GSgIhu4o9b', 'BxyIihuKiK', 'OvKI12ZL0q'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, BK0e3BzxIEvIfm6E8d.cs	High entropy of concatenated method names: 'yu3tFJUdit', 'YaotfyfdST', 'sobt7OViYF', 'OfstbxHwPR', 'Nnstxeb8Py', 'CB7tqYH9GZ', 'tcvtLu7a4x', 'PFGt1XGaXe', 'uvLtkyQxr9', 'UowtCfeRCl'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, GTjYGZul74RN11n9RH.cs	High entropy of concatenated method names: 'GJUvalCWrh', 'QHyv9xP5ea', 'MeMvNGdXRP', 'VNFvREgGLp', 'bKMv28Iih9', 'PBtv8nxnL4', 'hirvon7TwL', 'CrkvucUnKH', 'IdlvZyKrO3', 'B03vHj1bre'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, y9Ju4q4hl5sOk2usi0.cs	High entropy of concatenated method names: 'Qbmw2tGxM', 'YewrbvCGZ', 'zdEFopkWH', 'Q3wByeZfT', 'FBr7MyOYN', 'LXYXF7sXS', 'WNBmTByF8f5Of2JRbf', 'kBnk2GpHs7hwWr0pc7', 'FaOghhpDh', 'UFut6SOYh'
Source: 0.2......scr.exe.6f20000.4.raw.unpack, jJjuTae4lJr5MQKcOq.cs	High entropy of concatenated method names: 'ud5o96PV8A', 'g87oRa91Ib', 'JNBo8PRCVL', 'HXq8DfYDSo', 'l8o8zfKih4', 'tJhoMbnkPA', 'uZPoJpNOXC', 'lRmo45H4Qu', 'JbDovJrcUV', 'csZoG5yRf5'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, GeiBFubblFj8mnku8e.cs	High entropy of concatenated method names: 'aFT8aZpbJF', 'BIa8Nf4f0U', 'Y0482Psnod', 'DDL8of6SC2', 'z8j8u061Nu', 'Cxm208icHe', 'nuA259h7oA', 'Ejj2m4B7vp', 'Ug42OJounF', 't4C2lU9JiZ'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, a87yfDDX6xcMIsc6wd.cs	High entropy of concatenated method names: 'g9wtR0B4CU', 'Y09t2605ff', 'm0Ft8BhqJ2', 'SCrtoRkO10', 'rn7tQnTyGM', 'Vd7tuG1pKn', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, NoS06Kf2tT9iKtmmRd.cs	High entropy of concatenated method names: 'DaNNcTcCeA', 'bTINSXEWkM', 'xaMNV9xcY2', 'q1FNKSN8ev', 'sNFN0OUMJ7', 'FphN5RsbEx', 'mXxNmiOIBS', 'jvyNO2Vl8Y', 'uN4NlLJ0s9', 'StbNDJhXeZ'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, yMfD4mmFbbMQPsZwAq.cs	High entropy of concatenated method names: 'uiOQPRv7b1', 'UUXQUtmVhx', 'V9ZQQ8K7L4', 'aUCQE19nki', 'DSqQhELOKx', 'ofnQ1WCLxN', 'Dispose', 'NTBg90nE5e', 'UN6gNpD8ur', 'fpVgR40ml9'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, iHU9iMTUvsfhXAtD6B.cs	High entropy of concatenated method names: 'N90okrI4jC', 'EBpoCq8TXH', 'NSeowGZAmf', 'RAGorMsW4a', 'vmnoAGWSSt', 'rNvoFV3P7s', 'aOcoBNVF3P', 'lZ5ofM7JYT', 'Ai4o7V0NIp', 'tPEoXH1BQs'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, jYxPlXlYeeEHXnni0v.cs	High entropy of concatenated method names: 'FH9Qb9ESVK', 'adSQxKgKvM', 'x9UQytJtZA', 'ypJQqxowqM', 'QYXQLeeZCy', 'EuDQYXXKBA', 'chvQe0RIas', 'cs0QsyjglI', 'flWQTZVSgZ', 'Eb7QjhbrBG'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, BfQpj7JMnBagLW0xHR9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hEWt6vYpGO', 'CI6tWkNB9J', 'XOctnji4Zc', 'SFUtcosFst', 'EREtS8FFRp', 'ldvtV5ZnQx', 'gHttKyRjNV'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, oiAPHT5NvROewsZcVm.cs	High entropy of concatenated method names: 'oilUOlSeZM', 'JKMUDvHfjV', 'GQ2gM3iXO9', 'hG8gJyptA1', 'mXHU6yiHj1', 'zPPUWxvAqI', 'RD0UnO8qHj', 'WEMUcuoBLY', 'mS3USUDNCx', 'ad1UV1n7yL'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, X5MZyCJJS2M06qG6QY1.cs	High entropy of concatenated method names: 'cPotDN4LO3', 'RW4tzf6WAh', 'WtvEMuqf1g', 'uXXEJQoUHq', 'TiIE4Imee4', 'PJSEvtWtpT', 'F6NEGlX784', 'QxgEavbwQS', 'VOTE9XdIll', 'pUvEN3BuyZ'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, hVIaCNG0OoQenR3STW.cs	High entropy of concatenated method names: 'RyjJooS06K', 'htTJu9iKtm', 'htQJHvRjDQ', 'wPAJ3SoQ8C', 'FiKJPAfxei', 'CFuJdblFj8', 'WU6Vyi6uYk9qFllsUI', 'rl25wvrX4qdNU0ErvE', 'IOHJJkIPKX', 'QRtJvt37ut'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, nhFfAfnt5GMwbevyym.cs	High entropy of concatenated method names: 'bMqpf7bUZN', 'YgBp7q06tX', 'TCdpbWKTQL', 'dYPpxQ8Kcf', 'lrdpqsjugO', 'aO1pLAJEPb', 'PDppeFk8Bg', 'pvNpsmvtWF', 'cAnpj2ZS1u', 'Y7jp6tuZod'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, sPAtmrNktdDCLYbJVb.cs	High entropy of concatenated method names: 'Dispose', 'FMQJlPsZwA', 'aIx4x5bwn3', 'i32ilFnF8n', 'IKyJDd3yRf', 'gJ4Jzp0UC3', 'ProcessDialogKey', 'WLo4MYxPlX', 'Kee4JEHXnn', 'w0v44J87yf'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, xBSAGkcxsjdJ4GNEfh.cs	High entropy of concatenated method names: 'qHfPjWASDk', 'z3JPWgcM5e', 'D90PcisVAS', 'QOkPS0D9tO', 'GjCPxiW8t2', 'Gi8PyjqwHA', 'ujBPqjIVJo', 'PtcPLdC778', 'p8xPYaa7Z2', 'eViPe0TDNA'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, LDZ5O27tQvRjDQiPAS.cs	High entropy of concatenated method names: 'AG8RrEBwxE', 'D7rRFQ05Y0', 'uUfRfWUely', 'WCTR70j3aM', 'u31RPl5v0O', 'HQqRdaQ4jc', 'J4TRUhUr3O', 'r6TRgoqfg3', 'MXnRQYBiWW', 'YJkRtVxYeF'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, yu1pe1JGCo3u6hIejOn.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PniIQRsxv3', 'pSQItqEoTw', 'P4JIEXEGpU', 'AZoIIvqQPb', 'GSgIhu4o9b', 'BxyIihuKiK', 'OvKI12ZL0q'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, BK0e3BzxIEvIfm6E8d.cs	High entropy of concatenated method names: 'yu3tFJUdit', 'YaotfyfdST', 'sobt7OViYF', 'OfstbxHwPR', 'Nnstxeb8Py', 'CB7tqYH9GZ', 'tcvtLu7a4x', 'PFGt1XGaXe', 'uvLtkyQxr9', 'UowtCfeRCl'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, GTjYGZul74RN11n9RH.cs	High entropy of concatenated method names: 'GJUvalCWrh', 'QHyv9xP5ea', 'MeMvNGdXRP', 'VNFvREgGLp', 'bKMv28Iih9', 'PBtv8nxnL4', 'hirvon7TwL', 'CrkvucUnKH', 'IdlvZyKrO3', 'B03vHj1bre'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, y9Ju4q4hl5sOk2usi0.cs	High entropy of concatenated method names: 'Qbmw2tGxM', 'YewrbvCGZ', 'zdEFopkWH', 'Q3wByeZfT', 'FBr7MyOYN', 'LXYXF7sXS', 'WNBmTByF8f5Of2JRbf', 'kBnk2GpHs7hwWr0pc7', 'FaOghhpDh', 'UFut6SOYh'
Source: 0.2......scr.exe.39b99a0.3.raw.unpack, jJjuTae4lJr5MQKcOq.cs	High entropy of concatenated method names: 'ud5o96PV8A', 'g87oRa91Ib', 'JNBo8PRCVL', 'HXq8DfYDSo', 'l8o8zfKih4', 'tJhoMbnkPA', 'uZPoJpNOXC', 'lRmo45H4Qu', 'JbDovJrcUV', 'csZoG5yRf5'

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_004062E2 ShellExecuteW,URLDownloadToFileW,

2_2_004062E2

Source: C:\Users\user\Desktop\.....scr.exe

File created: C:\ProgramData\Adobe-Reader\Adobe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\.....scr.exe

File created: C:\ProgramData\Adobe-Reader\Adobe.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\.....scr.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-Reader-DTANWR

Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_0041AC43

Source: C:\Users\user\Desktop\.....scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-Reader-DTANWR	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-Reader-DTANWR	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-Reader-DTANWR	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-Reader-DTANWR	Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

2_2_0041D0CF

Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7792, type: MEMORYSTR

Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: 25D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: 8A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: 7120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: 9A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: AA40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 1500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 4E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 8980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 9980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 9B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: AB70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 26D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 8270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 9270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 9460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: A460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 2A90000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 2D20000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 2A90000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 87C0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 97C0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 99A0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: A9A0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 930000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 24E0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 2240000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 7F10000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 8F10000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 90F0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: A0F0000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\recover.exe

Code function: 6_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

6_2_0040BAE3

Source: C:\Users\user\Desktop\.....scr.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

2_2_0041A941

Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Window / User API: threadDelayed 889			Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Window / User API: threadDelayed 9099			Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe	Evaded block: after key decision	graph_2-47085
Source: C:\Users\user\Desktop\.....scr.exe	Evaded block: after key decision	graph_2-47246
Source: C:\Users\user\Desktop\.....scr.exe	Evaded block: after key decision	graph_2-47221

Source: C:\Users\user\Desktop\.....scr.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_2-47047

Source: C:\Users\user\Desktop\.....scr.exe	API coverage: 6.9 %
Source: C:\Windows\SysWOW64\recover.exe	API coverage: 9.4 %

Source: C:\Users\user\Desktop\.....scr.exe TID: 4996	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 7096	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 3756	Thread sleep count: 889 > 30	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 3756	Thread sleep time: -2667000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 3756	Thread sleep count: 9099 > 30	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 3756	Thread sleep time: -27297000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 7312	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 7724	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 7812	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	2_2_004090DC
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_0040B6B5
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	2_2_0041C7E5
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	2_2_0040B8BA
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	2_2_00408CDE
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	2_2_00419CEE
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	2_2_00407EDD
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00406F13 FindFirstFileW,FindNextFileW,	2_2_00406F13
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_100010F1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 6_2_0040B477 FindFirstFileW,FindNextFileW,	6_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 8_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	8_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	9_2_00407898

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

2_2_00407357

Source: C:\Windows\SysWOW64\recover.exe

Code function: 6_2_0041A8D8 memset,GetSystemInfo,

6_2_0041A8D8

Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: Adobe.exe, 00000004.00000002.4168027891.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000004.00000002.4168263026.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhvBFCA.tmp.6.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: bhvBFCA.tmp.6.dr	Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US

Source: C:\Windows\SysWOW64\recover.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\recover.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_0043B88D

Source: C:\Windows\SysWOW64\recover.exe

6_2_0040BAE3

Source: C:\Users\user\Desktop\.....scr.exe

2_2_0041D0CF

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004438F4 mov eax, dword ptr fs:[00000030h]		2_2_004438F4
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_10004AB4 mov eax, dword ptr fs:[00000030h]		4_2_10004AB4

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00411999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,

2_2_00411999

Source: C:\Windows\SysWOW64\recover.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00435398
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0043B88D
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00434D6E
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00434F01 SetUnhandledExceptionFilter,	2_2_00434F01
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_100060E2
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_10002639
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_10002B1C

Source: C:\Users\user\Desktop\.....scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\.....scr.exe	Memory written: C:\Users\user\Desktop\.....scr.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\ProgramData\Adobe-Reader\Adobe.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\ProgramData\Adobe-Reader\Adobe.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\ProgramData\Adobe-Reader\Adobe.exe base: 400000 value starts with: 4D5A
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\ProgramData\Adobe-Reader\Adobe.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2D1A008	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 309C008	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2D71008	Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_004197D9 mouse_event,

2_2_004197D9

Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\Users\user\Desktop\.....scr.exe "C:\Users\user\Desktop\.....scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ixoeircctyzseqmajwlmbdixt"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ixoeircctyzseqmajwlmbdixt"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kzbobknwghsxhwambgyfeidgcdcz"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\kzbobknwghsxhwambgyfeidgcdcz"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\vuhhccxycpkkrdwqkrshpuxxksmimfv"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"

Source: Adobe.exe, 00000004.00000002.4168263026.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager1
Source: Adobe.exe, 00000004.00000002.4168263026.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr
Source: Adobe.exe, 00000004.00000002.4168027891.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000004.00000002.4168263026.0000000000EC4000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000004.00000002.4168263026.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00435034 cpuid

2_2_00435034

Source: C:\Users\user\Desktop\.....scr.exe	Code function: EnumSystemLocalesW,	2_2_004520E2
Source: C:\Users\user\Desktop\.....scr.exe	Code function: EnumSystemLocalesW,	2_2_00452097
Source: C:\Users\user\Desktop\.....scr.exe	Code function: EnumSystemLocalesW,	2_2_0045217D
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoA,	2_2_0040F26B
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_0045220A
Source: C:\Users\user\Desktop\.....scr.exe	Code function: EnumSystemLocalesW,	2_2_0044844E
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoW,	2_2_0045245A
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00452583
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoW,	2_2_0045268A
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00452757
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoW,	2_2_00448937
Source: C:\Users\user\Desktop\.....scr.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_00451E1F

Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Users\user\Desktop\.....scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\ProgramData\Adobe-Reader\Adobe.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\ProgramData\Adobe-Reader\Adobe.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\ProgramData\Adobe-Reader\Adobe.exe VolumeInformation
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\ProgramData\Adobe-Reader\Adobe.exe VolumeInformation
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387 VolumeInformation
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\f1bca13e812a4670aa9cc883eb3fdc42_1 VolumeInformation
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\b029a9bc549c42fe8b042c64d5386f7f_1 VolumeInformation
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815 VolumeInformation
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\28dacf673c31495bae4c4f3cb51da626_1 VolumeInformation
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\2a34876ab2d24dd28a211a9d3d17a71e_1 VolumeInformation
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\310091 VolumeInformation
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\310091\15050a7535d349ae9f73cfb14f9288aa_1 VolumeInformation
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1741155103 VolumeInformation
Source: C:\Windows\System32\backgroundTaskHost.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1741155103 VolumeInformation

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041A1AD __EH_prolog,GdiplusStartup,CreateDirectoryW,Sleep,GetLocalTime,Sleep,

2_2_0041A1AD

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041BB0E GetUserNameW,

2_2_0041BB0E

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_004493F7 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_004493F7

Source: C:\Windows\SysWOW64\recover.exe

Code function: 6_2_004192F2 GetVersionExW,

6_2_004192F2

Source: C:\Users\user\Desktop\.....scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0.2......scr.exe.3873590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.37f9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.3873590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.37f9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1837463304.000000000163A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4168027891.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1726704777.0000000000E3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1999906863.0000000001478000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1923461971.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723966627.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7828, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\.....scr.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

2_2_0040B59B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\.....scr.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		2_2_0040B6B5
Source: C:\Users\user\Desktop\.....scr.exe	Code function: \key3.db		2_2_0040B6B5

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\recover.exe	Code function: ESMTPPassword	8_2_004033F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	8_2_00402DB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	8_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 6.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Adobe.exe.3aa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Adobe.exe.3aa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1789234219.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4169554957.0000000003AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: recover.exe PID: 7192, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 0.2......scr.exe.3873590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.37f9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.3873590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.37f9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1837463304.000000000163A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4168027891.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1726704777.0000000000E3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1999906863.0000000001478000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1923461971.00000000011EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1724071521.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723966627.00000000037F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7828, type: MEMORYSTR

Source: C:\Users\user\Desktop\.....scr.exe

Code function: cmd.exe

2_2_00405091

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	31 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	3 Obfuscated Files or Information	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	12 Software Packing	3 Credentials In Files	4 File and Directory Discovery	Distributed Component Object Model	111 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	1 Timestomp	LSA Secrets	38 System Information Discovery	SSH	3 Clipboard Data	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Bypass User Account Control	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	31 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	312 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report .....scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
.....scr.exe