Edit tour

Windows Analysis Report
.....scr.exe

Overview

General Information

Sample name:	.....scr.exe renamed because original name is a hash value
Original sample name:	-ICS 2 House BL filing format.xlsx................................................................................................scr.exe
Analysis ID:	1629758
MD5:	8bb239fb87b043c801faf13f8bba1228
SHA1:	2e5a933bf9ff60c1703560d796e2642a7c9fcef7
SHA256:	65b7cf7ab546e94fad0cbce12c9756dcb2af4aa833943beffdfcc448e00e4449
Tags:	exeRemcosRATuser-threatcat_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates autostart registry keys with suspicious names

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Too many similar processes found

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

.....scr.exe (PID: 1848 cmdline: "C:\Users\user\Desktop\.....scr.exe" MD5: 8BB239FB87B043C801FAF13F8BBA1228)

.....scr.exe (PID: 5808 cmdline: "C:\Users\user\Desktop\.....scr.exe" MD5: 8BB239FB87B043C801FAF13F8BBA1228)

Adobe.exe (PID: 5528 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 8BB239FB87B043C801FAF13F8BBA1228)

Adobe.exe (PID: 1268 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 8BB239FB87B043C801FAF13F8BBA1228)

recover.exe (PID: 6352 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 2944 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 5808 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 1848 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 4464 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 940 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 6196 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 2172 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 2128 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 4024 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 6284 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 2300 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 4676 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7172 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7180 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7188 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7196 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7204 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7212 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7220 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7228 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7236 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7244 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7252 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7260 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7268 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7276 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7284 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7292 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7300 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7308 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7316 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7324 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7332 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 7340 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay" MD5: D38B657A068016768CA9F3B5E100B472)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe-Reader-DTANWR", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobe-Reader", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4509656819.0000000001187000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.2080081154.0000000000BE7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
00000000.00000002.2079572873.0000000004339000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.2079572873.0000000004339000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2079572873.0000000004339000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.2079572873.0000000004339000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c6c8:$a1: Remcos restarted by watchdog! 0xe62e8:$a1: Remcos restarted by watchdog! 0x15fb28:$a1: Remcos restarted by watchdog! 0x6cd18:$a3: %02i:%02i:%02i:%03i 0xe6938:$a3: %02i:%02i:%02i:%03i 0x160178:$a3: %02i:%02i:%02i:%03i
Process Memory Space: .....scr.exe PID: 1848	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: .....scr.exe PID: 1848	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: .....scr.exe PID: 1848	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: .....scr.exe PID: 1848	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: .....scr.exe PID: 1848	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x14fde:$a1: Remcos restarted by watchdog! 0x15633:$a3: %02i:%02i:%02i:%03i 0x15a70:$a3: %02i:%02i:%02i:%03i
Process Memory Space: .....scr.exe PID: 5808	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: .....scr.exe PID: 5808	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: .....scr.exe PID: 5808	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: .....scr.exe PID: 5808	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x19beb:$a1: Remcos restarted by watchdog! 0x1a240:$a3: %02i:%02i:%02i:%03i 0x1a67d:$a3: %02i:%02i:%02i:%03i
Process Memory Space: Adobe.exe PID: 5528	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Adobe.exe PID: 1268	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2......scr.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2......scr.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2......scr.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2......scr.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6d758:$a1: Remcos restarted by watchdog! 0x6dda8:$a3: %02i:%02i:%02i:%03i
2.2......scr.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x679f4:$str_a1: C:\Windows\System32\cmd.exe 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x67a64:$str_b2: Executing file: 0x6889c:$str_b3: GetDirectListeningPort 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x68448:$str_b7: \update.vbs 0x67a8c:$str_b9: Downloaded file: 0x67a78:$str_b10: Downloading file: 0x67b1c:$str_b12: Failed to upload file: 0x68864:$str_b13: StartForward 0x68884:$str_b14: StopForward 0x683a0:$str_b15: fso.DeleteFile " 0x68334:$str_b16: On Error Resume Next 0x683d0:$str_b17: fso.DeleteFolder " 0x67b0c:$str_b18: Uploaded file: 0x67acc:$str_b19: Unable to delete: 0x68368:$str_b20: while fso.FileExists(" 0x67fa9:$str_c0: [Firefox StoredLogins not found]
2.2......scr.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x678e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x67878:$s1: CoGetObject 0x6788c:$s1: CoGetObject 0x678a8:$s1: CoGetObject 0x71656:$s1: CoGetObject 0x67838:$s2: Elevation:Administrator!new:
0.2......scr.exe.43b3590.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2......scr.exe.43b3590.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2......scr.exe.43b3590.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2......scr.exe.43b3590.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a358:$a1: Remcos restarted by watchdog! 0x6a9a8:$a3: %02i:%02i:%02i:%03i
0.2......scr.exe.43b3590.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x645f4:$str_a1: C:\Windows\System32\cmd.exe 0x64570:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64570:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x650d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64664:$str_b2: Executing file: 0x6549c:$str_b3: GetDirectListeningPort 0x64ec8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65048:$str_b7: \update.vbs 0x6468c:$str_b9: Downloaded file: 0x64678:$str_b10: Downloading file: 0x6471c:$str_b12: Failed to upload file: 0x65464:$str_b13: StartForward 0x65484:$str_b14: StopForward 0x64fa0:$str_b15: fso.DeleteFile " 0x64f34:$str_b16: On Error Resume Next 0x64fd0:$str_b17: fso.DeleteFolder " 0x6470c:$str_b18: Uploaded file: 0x646cc:$str_b19: Unable to delete: 0x64f68:$str_b20: while fso.FileExists(" 0x64ba9:$str_c0: [Firefox StoredLogins not found]
0.2......scr.exe.43b3590.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x644e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64478:$s1: CoGetObject 0x6448c:$s1: CoGetObject 0x644a8:$s1: CoGetObject 0x6e256:$s1: CoGetObject 0x64438:$s2: Elevation:Administrator!new:
0.2......scr.exe.4339970.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2......scr.exe.4339970.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2......scr.exe.4339970.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2......scr.exe.4339970.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a358:$a1: Remcos restarted by watchdog! 0x6a9a8:$a3: %02i:%02i:%02i:%03i
0.2......scr.exe.4339970.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x645f4:$str_a1: C:\Windows\System32\cmd.exe 0x64570:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64570:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x650d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64664:$str_b2: Executing file: 0x6549c:$str_b3: GetDirectListeningPort 0x64ec8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65048:$str_b7: \update.vbs 0x6468c:$str_b9: Downloaded file: 0x64678:$str_b10: Downloading file: 0x6471c:$str_b12: Failed to upload file: 0x65464:$str_b13: StartForward 0x65484:$str_b14: StopForward 0x64fa0:$str_b15: fso.DeleteFile " 0x64f34:$str_b16: On Error Resume Next 0x64fd0:$str_b17: fso.DeleteFolder " 0x6470c:$str_b18: Uploaded file: 0x646cc:$str_b19: Unable to delete: 0x64f68:$str_b20: while fso.FileExists(" 0x64ba9:$str_c0: [Firefox StoredLogins not found]
0.2......scr.exe.4339970.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x644e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64478:$s1: CoGetObject 0x6448c:$s1: CoGetObject 0x644a8:$s1: CoGetObject 0x6e256:$s1: CoGetObject 0x64438:$s2: Elevation:Administrator!new:
2.2......scr.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2......scr.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2......scr.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2......scr.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
2.2......scr.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
2.2......scr.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
0.2......scr.exe.43b3590.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2......scr.exe.43b3590.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2......scr.exe.43b3590.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2......scr.exe.43b3590.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0xe5598:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i 0xe5be8:$a3: %02i:%02i:%02i:%03i
0.2......scr.exe.43b3590.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdf728:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0xdf6b8:$s1: CoGetObject 0xdf6cc:$s1: CoGetObject 0xdf6e8:$s1: CoGetObject 0xe9496:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new: 0xdf678:$s2: Elevation:Administrator!new:
0.2......scr.exe.4339970.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2......scr.exe.4339970.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2......scr.exe.4339970.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2......scr.exe.4339970.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0xe5978:$a1: Remcos restarted by watchdog! 0x15f1b8:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i 0xe5fc8:$a3: %02i:%02i:%02i:%03i 0x15f808:$a3: %02i:%02i:%02i:%03i
0.2......scr.exe.4339970.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdfb08:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x159348:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0xdfa98:$s1: CoGetObject 0xdfaac:$s1: CoGetObject 0xdfac8:$s1: CoGetObject 0xe9876:$s1: CoGetObject 0x1592d8:$s1: CoGetObject 0x1592ec:$s1: CoGetObject 0x159308:$s1: CoGetObject 0x1630b6:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new: 0xdfa58:$s2: Elevation:Administrator!new: 0x159298:$s2: Elevation:Administrator!new:
Click to see the 29 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe-Reader\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\.....scr.exe, ProcessId: 5808, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-Reader-DTANWR

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe-Reader\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\.....scr.exe, ProcessId: 5808, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-Reader-DTANWR

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T07:10:13.449562+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49709	104.250.180.178	7902	TCP
2025-03-05T07:10:15.086317+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49710	104.250.180.178	7902	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T07:10:15.074009+0100	2803304	3	Unknown Traffic	192.168.2.5	49711	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2079572873.0000000004339000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe-Reader-DTANWR", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobe-Reader", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Adobe-Reader\Adobe.exe	ReversingLabs: Detection: 26%
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Virustotal: Detection: 33%			Perma Link

Multi AV Scanner detection for submitted file

Source: .....scr.exe	Virustotal: Detection: 33%			Perma Link
Source: .....scr.exe	ReversingLabs: Detection: 26%

Yara detected Remcos RAT

Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.43b3590.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4339970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.43b3590.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4339970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4509656819.0000000001187000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2080081154.0000000000BE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2079572873.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 5808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1268, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

2_2_00433B64

Source: .....scr.exe, 00000000.00000002.2079572873.0000000004339000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_fe86d65b-f

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.43b3590.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4339970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.43b3590.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4339970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2079572873.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 5808, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00406ABC _wcslen,CoGetObject,

2_2_00406ABC

Source: .....scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: .....scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: gxjs.pdbSHA256 source: .....scr.exe, Adobe.exe.2.dr
Source:	Binary string: gxjs.pdb source: .....scr.exe, Adobe.exe.2.dr

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	2_2_004090DC
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_0040B6B5
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	2_2_0041C7E5
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	2_2_0040B8BA
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0044E989 FindFirstFileExA,	2_2_0044E989
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	2_2_00408CDE
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	2_2_00419CEE
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	2_2_00407EDD
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00406F13 FindFirstFileW,FindNextFileW,	2_2_00406F13
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_100010F1
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_10006580 FindFirstFileExA,	4_2_10006580

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

2_2_00407357

Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49709 -> 104.250.180.178:7902
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49710 -> 104.250.180.178:7902

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 104.250.180.178

Source: global traffic

TCP traffic: 192.168.2.5:49709 -> 104.250.180.178:7902

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 104.250.180.178 104.250.180.178
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49711 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_004062E2 ShellExecuteW,URLDownloadToFileW,

2_2_004062E2

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Adobe.exe, 00000004.00000002.4509486281.0000000001080000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: Adobe.exe, 00000004.00000002.4509486281.0000000001080000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: .....scr.exe, Adobe.exe, 00000004.00000002.4509791383.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000004.00000002.4509791383.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: .....scr.exe, 00000000.00000002.2079572873.0000000004339000.00000004.00000800.00020000.00000000.sdmp, .....scr.exe, 00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: Adobe.exe, 00000004.00000002.4509486281.0000000001080000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: Adobe.exe, 00000004.00000002.4509486281.0000000001080000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: Adobe.exe, 00000004.00000002.4509486281.0000000001080000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: Adobe.exe, 00000004.00000002.4509486281.0000000001080000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: Adobe.exe, 00000004.00000002.4509186980.0000000001000000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: Adobe.exe, 00000004.00000002.4509486281.0000000001080000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,00000000

2_2_00409D1E

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

2_2_0040B158

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0041696E

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,

2_2_0040B158

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

2_2_00409E4A

Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.43b3590.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4339970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.43b3590.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4339970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2079572873.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 5808, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.43b3590.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4339970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.43b3590.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4339970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4509656819.0000000001187000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2080081154.0000000000BE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2079572873.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 5808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1268, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041CF2D SystemParametersInfoW,

2_2_0041CF2D

Source: recover.exe

Process created: 70

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2......scr.exe.43b3590.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2......scr.exe.43b3590.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2......scr.exe.43b3590.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2......scr.exe.4339970.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2......scr.exe.4339970.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2......scr.exe.4339970.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2......scr.exe.43b3590.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2......scr.exe.43b3590.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2......scr.exe.4339970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2......scr.exe.4339970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2079572873.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: .....scr.exe PID: 1848, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: .....scr.exe PID: 5808, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\ProgramData\Adobe-Reader\Adobe.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress,

2_2_00416861

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_05DD618C	0_2_05DD618C
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_05DD6183	0_2_05DD6183
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_05DD73A8	0_2_05DD73A8
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_0788A687	0_2_0788A687
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_0788A698	0_2_0788A698
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_078893F8	0_2_078893F8
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_0788AFC8	0_2_0788AFC8
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_07888FC0	0_2_07888FC0
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_07888B6B	0_2_07888B6B
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0042809D	2_2_0042809D
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0045412B	2_2_0045412B
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004421C0	2_2_004421C0
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004281D7	2_2_004281D7
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043E1E0	2_2_0043E1E0
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0041E29B	2_2_0041E29B
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004373DA	2_2_004373DA
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00438380	2_2_00438380
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00453472	2_2_00453472
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0042747E	2_2_0042747E
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043E43D	2_2_0043E43D
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004325A1	2_2_004325A1
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043774C	2_2_0043774C
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0041F809	2_2_0041F809
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004379F6	2_2_004379F6
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004279F5	2_2_004279F5
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0044DAD9	2_2_0044DAD9
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00433C73	2_2_00433C73
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00413CA0	2_2_00413CA0
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00437CBD	2_2_00437CBD
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043DD82	2_2_0043DD82
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00435F52	2_2_00435F52
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00437F78	2_2_00437F78
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043DFB1	2_2_0043DFB1
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_0733618C	3_2_0733618C
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_073373A8	3_2_073373A8
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_07336183	3_2_07336183
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_0741A687	3_2_0741A687
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_0741A698	3_2_0741A698
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_074193F8	3_2_074193F8
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_07418FC0	3_2_07418FC0
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_0741AFC8	3_2_0741AFC8
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 3_2_07418B56	3_2_07418B56
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_10017194	4_2_10017194
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_1000B5C1	4_2_1000B5C1

Source: C:\Users\user\Desktop\.....scr.exe	Code function: String function: 004351E0 appears 55 times
Source: C:\Users\user\Desktop\.....scr.exe	Code function: String function: 00401F96 appears 49 times
Source: C:\Users\user\Desktop\.....scr.exe	Code function: String function: 00401EBF appears 32 times
Source: C:\Users\user\Desktop\.....scr.exe	Code function: String function: 00434ACF appears 43 times
Source: C:\Users\user\Desktop\.....scr.exe	Code function: String function: 00402117 appears 39 times

Source: .....scr.exe, 00000000.00000000.2055236190.0000000000F7E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamegxjs.exe" vs .....scr.exe
Source: .....scr.exe, 00000000.00000002.2079572873.0000000004339000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs .....scr.exe
Source: .....scr.exe, 00000000.00000002.2083588353.0000000007890000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs .....scr.exe
Source: .....scr.exe, 00000000.00000002.2072982789.000000000338B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs .....scr.exe
Source: .....scr.exe, 00000000.00000002.2067609331.000000000145E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs .....scr.exe
Source: .....scr.exe, 00000000.00000002.2083399936.0000000007790000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs .....scr.exe
Source: .....scr.exe, 00000002.00000002.2080081154.0000000000C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegxjs.exe" vs .....scr.exe
Source: .....scr.exe, 00000002.00000002.2080081154.0000000000C57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs .....scr.exe
Source: .....scr.exe	Binary or memory string: OriginalFilenamegxjs.exe" vs .....scr.exe

Source: .....scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2......scr.exe.43b3590.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2......scr.exe.43b3590.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2......scr.exe.43b3590.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2......scr.exe.4339970.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2......scr.exe.4339970.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2......scr.exe.4339970.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2......scr.exe.43b3590.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2......scr.exe.43b3590.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2......scr.exe.4339970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2......scr.exe.4339970.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2079572873.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: .....scr.exe PID: 1848, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: .....scr.exe PID: 5808, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: .....scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Adobe.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2......scr.exe.7890000.5.raw.unpack, yiBA6ThVAQLoMBwpE8.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2......scr.exe.7890000.5.raw.unpack, yiBA6ThVAQLoMBwpE8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, yiBA6ThVAQLoMBwpE8.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, yiBA6ThVAQLoMBwpE8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2......scr.exe.7890000.5.raw.unpack, aoO0GZ8xRBNFTYFtKl.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2......scr.exe.7890000.5.raw.unpack, aoO0GZ8xRBNFTYFtKl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2......scr.exe.7890000.5.raw.unpack, aoO0GZ8xRBNFTYFtKl.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, aoO0GZ8xRBNFTYFtKl.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, aoO0GZ8xRBNFTYFtKl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, aoO0GZ8xRBNFTYFtKl.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@10165/5@1/2

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

2_2_00417AD9

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0040C03C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

2_2_0040C03C

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041B9AB FindResourceA,LoadResource,LockResource,SizeofResource,

2_2_0041B9AB

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_0041AC43

Source: C:\Users\user\Desktop\.....scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\.....scr.exe.log

Jump to behavior

Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Mutant created: NULL
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe-Reader-DTANWR

Source: .....scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: .....scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\.....scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Adobe.exe, 00000004.00000002.4509186980.0000000001000000.00000040.10000000.00040000.00000000.sdmp

Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

Source: .....scr.exe	Virustotal: Detection: 33%
Source: .....scr.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\.....scr.exe

File read: C:\Users\user\Desktop\.....scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\.....scr.exe "C:\Users\user\Desktop\.....scr.exe"
Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\Users\user\Desktop\.....scr.exe "C:\Users\user\Desktop\.....scr.exe"
Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"
Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\Users\user\Desktop\.....scr.exe "C:\Users\user\Desktop\.....scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\.....scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: .....scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: .....scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: .....scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: gxjs.pdbSHA256 source: .....scr.exe, Adobe.exe.2.dr
Source:	Binary string: gxjs.pdb source: .....scr.exe, Adobe.exe.2.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2......scr.exe.347f0d0.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2......scr.exe.7890000.5.raw.unpack, aoO0GZ8xRBNFTYFtKl.cs	.Net Code: COjjOcBrgi System.Reflection.Assembly.Load(byte[])
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, aoO0GZ8xRBNFTYFtKl.cs	.Net Code: COjjOcBrgi System.Reflection.Assembly.Load(byte[])
Source: 0.2......scr.exe.7790000.4.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: .....scr.exe

Static PE information: 0xA8F7BB46 [Fri Oct 31 06:33:42 2059 UTC]

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

2_2_0041D0CF

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004570CF push ecx; ret	2_2_004570E2
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00435226 push ecx; ret	2_2_00435239
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0045D9ED push esi; ret	2_2_0045D9F6
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00457A00 push eax; ret	2_2_00457A1E
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_10002806 push ecx; ret	4_2_10002819

Source: .....scr.exe	Static PE information: section name: .text entropy: 7.8744796025572485
Source: Adobe.exe.2.dr	Static PE information: section name: .text entropy: 7.8744796025572485

Source: 0.2......scr.exe.7890000.5.raw.unpack, aoO0GZ8xRBNFTYFtKl.cs	High entropy of concatenated method names: 'sJ5ldIKhgF', 'CB4lTFbYk4', 'G2OlCDb2dJ', 'iRZlLA9gDK', 'NqelXqje5C', 'WQllZiaxtP', 'jNylxchPBP', 'Nj5lsZTHUL', 'obyle7U2Dy', 'g2KlFOJKIT'
Source: 0.2......scr.exe.7890000.5.raw.unpack, lUxvuspYQIg23v5LlK.cs	High entropy of concatenated method names: 'uPsxTG9MCq', 'aAxxLWbEgd', 'jRExZNA5rv', 'i0UZpWgB3a', 'jUyZzjb5KD', 'sdvxAGAjMy', 'wZoxI35qvb', 'ayJxUO8cY5', 'AFwxlbbfPd', 'BIBxj9lyX2'
Source: 0.2......scr.exe.7890000.5.raw.unpack, dH4i4QlkYJQNYI5oma.cs	High entropy of concatenated method names: 'wc7xaHB9tP', 'QIBxqfuyID', 'ATXxOrN7yv', 'BMDx8tiLka', 'uLkxrulx5s', 'W15xYNgcYS', 'JwAxmHyLqy', 'JwmxK10WwI', 'tHtx1shugl', 'aDTxVIfpoC'
Source: 0.2......scr.exe.7890000.5.raw.unpack, yiBA6ThVAQLoMBwpE8.cs	High entropy of concatenated method names: 'JlOCGi06u0', 'omBC6a3pjT', 'pGsCDQtTiG', 'yqdCt2K9AL', 'ePFChYgEke', 'n0eCkhDU3y', 'FHDCNX8ojS', 'zJ8CPeY94d', 'AHOCExVRQa', 'F1hCpLMQtF'
Source: 0.2......scr.exe.7890000.5.raw.unpack, fTUItVdmiCytMeKX2H.cs	High entropy of concatenated method names: 'OoxuvCgZPp', 'wGxu3ctbx1', 'EZUuGDLON4', 'SJCu67yQj6', 'H6luRQl3vL', 'orCu7Hria6', 'Fg5uJYCVPT', 'geyu5nCYol', 'KlVuHnko80', 'NLKuQaqrd1'
Source: 0.2......scr.exe.7890000.5.raw.unpack, vAPKEEKKBkIrw6Zp2qY.cs	High entropy of concatenated method names: 'eeJSprqDRX', 'Cv7SzbfJab', 'E8MnAbtyXv', 'd81nIwCSVW', 'BqxnUuFjgA', 'gSTnlXYU9P', 'Y5rnjCaqJL', 'cLtnd3gpMO', 'IYXnTFak8g', 'HufnCb6tDh'
Source: 0.2......scr.exe.7890000.5.raw.unpack, jioyy21UDmni2gydf1.cs	High entropy of concatenated method names: 'svt4cneTMJ', 'R6E4RPCITw', 'xKI472aciU', 'VDh4JApjNm', 'BOd45LNYC9', 'PSp4HkDp2Z', 'Hjt4Q4Apab', 'Ato4MJeEoK', 'HpE49kcA88', 'Pbw4vRTvjm'
Source: 0.2......scr.exe.7890000.5.raw.unpack, ba5gRELn97Em3r2tov.cs	High entropy of concatenated method names: 'Dispose', 'EJvIEe2lVV', 'uWTURPiBJU', 'rsnwhxB5KI', 'Pv9IpVlpZ7', 'W39IzMl1Aq', 'ProcessDialogKey', 'B7SUAtAFYk', 'lf8UIRA4wH', 'OleUUlVqI8'
Source: 0.2......scr.exe.7890000.5.raw.unpack, d1AdoogCYqrmRNSKls.cs	High entropy of concatenated method names: 'CDkL8P4Dew', 'NumLYEKr4w', 'R9gLKZdF9h', 'VYVL17llvA', 'StlLuie96F', 's3MLBq502W', 'EcMLbb12As', 'WnMLiyReku', 'oH0L47h409', 'wcnLS3V4aV'
Source: 0.2......scr.exe.7890000.5.raw.unpack, WeuISm2dF3ZsNwmsmG.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'OGFUENROgY', 'dDlUpwOHbO', 'UEPUzxvJ8W', 'LavlAFknFP', 'rmolInNqr7', 'uvLlUqefZq', 'pQ1llH6APR', 'Gir5Uv48RRfyc6MaS5l'
Source: 0.2......scr.exe.7890000.5.raw.unpack, rINN7gcadR8xPw0Sdu.cs	High entropy of concatenated method names: 'fSMWKggT94', 'ribW1VXy8S', 'PxhWcibIKI', 'F2YWRjh9UL', 'cdDWJhqlLe', 'LCxW5hdVRc', 'lKGWQCb7Dw', 'rtsWMMaA31', 'WCBWv6m58n', 'tXgW2NjiP0'
Source: 0.2......scr.exe.7890000.5.raw.unpack, Qi6YAXr3JJxQHEJOwX.cs	High entropy of concatenated method names: 'I6rbPHpdcg', 'lqrbpapVWc', 'BAwiAZIgWm', 'ihViIrMFQL', 'Q6wb2LlNdL', 'ovJb3UmBOy', 'Mgkbo7uLR9', 'EfibGqh3Qy', 'Mwgb6dWLcp', 'EXSbDjlRNA'
Source: 0.2......scr.exe.7890000.5.raw.unpack, FDbgkrQ3SU5mkbEMng.cs	High entropy of concatenated method names: 'IwCZDIC5C7', 'pt3ZtNcFm4', 'S1bZh37YTd', 'ToString', 'avkZkla8sY', 'xmMZNnlXIG', 'h3XBrwKpNudXpIv8GP9', 'ljqkekKEfmJcjy3ydqL', 'hoqTInKGqFTXyx402IM'
Source: 0.2......scr.exe.7890000.5.raw.unpack, E5NHonJupZL7sg6rCY.cs	High entropy of concatenated method names: 'V9rZdLDgJ6', 'GfRZCtPJE2', 'S5SZXmiC88', 'gCJZxYfKyS', 'qcmZs1ljGN', 'xQrXhS8Wf8', 'xlZXkwwAvn', 'Re8XNVnPsA', 'cvJXPjbM8U', 'LoWXEsZs29'
Source: 0.2......scr.exe.7890000.5.raw.unpack, Ug65fMFbRObqE4krK9.cs	High entropy of concatenated method names: 'TFNbFhgyJQ', 'D2GbfOpQPf', 'ToString', 'URybTq1yGh', 'nqjbCXyAWl', 'pLgbLYNUHm', 'RpobXly94m', 'fOqbZkYf9u', 't4GbxV6jgv', 'QH3bsat7DN'
Source: 0.2......scr.exe.7890000.5.raw.unpack, iV67N53I7TqPJT6C9v.cs	High entropy of concatenated method names: 'uXNO71F3S', 'm2J8gQedm', 'T1YYlDyiG', 'MnUm9QhCt', 'DYK1RV06x', 'TlrVgHY08', 'MZqJfpkgl6Dircggcv', 'bunGMCZtsZ0ltNvJkf', 'DIxiLw5w9', 'n2CSrjylN'
Source: 0.2......scr.exe.7890000.5.raw.unpack, meQGsqRdplvgWpHZgm.cs	High entropy of concatenated method names: 'yP4IxqbZEe', 'bVEIsyWpuG', 'TiUIF1Lobf', 'dHXIfd3DOH', 'CUrIuupOTQ', 'GVeIB6ND8d', 'WMgnydJQLAagwfxI9p', 'cmBkslPtQl1WGHT0PD', 'OkBIILNOhX', 'GEXIlPSCgx'
Source: 0.2......scr.exe.7890000.5.raw.unpack, CBtRNvKNNuqPd0AOGJv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EOqS2LALr3', 'VrXS38VtHo', 'eIQSoLUvy6', 'aPfSGE1Rh6', 'cjtS6NVNXd', 'lbWSDSyDvu', 'UnyStSIjS4'
Source: 0.2......scr.exe.7890000.5.raw.unpack, xAFaraHMSBjMIaHTK6.cs	High entropy of concatenated method names: 'ToString', 'xxKB2nA4ju', 'BV1BRjYvDC', 'uDdB7avGEg', 'LDUBJVie5B', 'rGGB51GIb0', 'bjuBHTffWs', 'G3bBQ3N1Gs', 'BDcBMJJyN4', 'HO2B9RU5jC'
Source: 0.2......scr.exe.7890000.5.raw.unpack, Lg0Fj100kmv0AFJw3v.cs	High entropy of concatenated method names: 's9n4uNn2Jj', 'yyp4bm4f0s', 'gTk44cPTbp', 'vml4nCil3y', 'MNH4yoBKgt', 'A364gagCk6', 'Dispose', 'y8QiTIIIpO', 'IqXiCdLd35', 'mYfiLSMPiv'
Source: 0.2......scr.exe.7890000.5.raw.unpack, eRU05xzX1aYA8ffgRk.cs	High entropy of concatenated method names: 'fmoSY1Zavc', 'OFPSKlcuoK', 'QITS1P7DOL', 'sjRScRvn5w', 'QvqSRgQQmH', 'lGJSJtpxGN', 'bfvS5Toasi', 'VTESgNI7JP', 'UB9SafVRBk', 'yEPSqX3q8q'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, aoO0GZ8xRBNFTYFtKl.cs	High entropy of concatenated method names: 'sJ5ldIKhgF', 'CB4lTFbYk4', 'G2OlCDb2dJ', 'iRZlLA9gDK', 'NqelXqje5C', 'WQllZiaxtP', 'jNylxchPBP', 'Nj5lsZTHUL', 'obyle7U2Dy', 'g2KlFOJKIT'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, lUxvuspYQIg23v5LlK.cs	High entropy of concatenated method names: 'uPsxTG9MCq', 'aAxxLWbEgd', 'jRExZNA5rv', 'i0UZpWgB3a', 'jUyZzjb5KD', 'sdvxAGAjMy', 'wZoxI35qvb', 'ayJxUO8cY5', 'AFwxlbbfPd', 'BIBxj9lyX2'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, dH4i4QlkYJQNYI5oma.cs	High entropy of concatenated method names: 'wc7xaHB9tP', 'QIBxqfuyID', 'ATXxOrN7yv', 'BMDx8tiLka', 'uLkxrulx5s', 'W15xYNgcYS', 'JwAxmHyLqy', 'JwmxK10WwI', 'tHtx1shugl', 'aDTxVIfpoC'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, yiBA6ThVAQLoMBwpE8.cs	High entropy of concatenated method names: 'JlOCGi06u0', 'omBC6a3pjT', 'pGsCDQtTiG', 'yqdCt2K9AL', 'ePFChYgEke', 'n0eCkhDU3y', 'FHDCNX8ojS', 'zJ8CPeY94d', 'AHOCExVRQa', 'F1hCpLMQtF'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, fTUItVdmiCytMeKX2H.cs	High entropy of concatenated method names: 'OoxuvCgZPp', 'wGxu3ctbx1', 'EZUuGDLON4', 'SJCu67yQj6', 'H6luRQl3vL', 'orCu7Hria6', 'Fg5uJYCVPT', 'geyu5nCYol', 'KlVuHnko80', 'NLKuQaqrd1'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, vAPKEEKKBkIrw6Zp2qY.cs	High entropy of concatenated method names: 'eeJSprqDRX', 'Cv7SzbfJab', 'E8MnAbtyXv', 'd81nIwCSVW', 'BqxnUuFjgA', 'gSTnlXYU9P', 'Y5rnjCaqJL', 'cLtnd3gpMO', 'IYXnTFak8g', 'HufnCb6tDh'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, jioyy21UDmni2gydf1.cs	High entropy of concatenated method names: 'svt4cneTMJ', 'R6E4RPCITw', 'xKI472aciU', 'VDh4JApjNm', 'BOd45LNYC9', 'PSp4HkDp2Z', 'Hjt4Q4Apab', 'Ato4MJeEoK', 'HpE49kcA88', 'Pbw4vRTvjm'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, ba5gRELn97Em3r2tov.cs	High entropy of concatenated method names: 'Dispose', 'EJvIEe2lVV', 'uWTURPiBJU', 'rsnwhxB5KI', 'Pv9IpVlpZ7', 'W39IzMl1Aq', 'ProcessDialogKey', 'B7SUAtAFYk', 'lf8UIRA4wH', 'OleUUlVqI8'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, d1AdoogCYqrmRNSKls.cs	High entropy of concatenated method names: 'CDkL8P4Dew', 'NumLYEKr4w', 'R9gLKZdF9h', 'VYVL17llvA', 'StlLuie96F', 's3MLBq502W', 'EcMLbb12As', 'WnMLiyReku', 'oH0L47h409', 'wcnLS3V4aV'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, WeuISm2dF3ZsNwmsmG.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'OGFUENROgY', 'dDlUpwOHbO', 'UEPUzxvJ8W', 'LavlAFknFP', 'rmolInNqr7', 'uvLlUqefZq', 'pQ1llH6APR', 'Gir5Uv48RRfyc6MaS5l'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, rINN7gcadR8xPw0Sdu.cs	High entropy of concatenated method names: 'fSMWKggT94', 'ribW1VXy8S', 'PxhWcibIKI', 'F2YWRjh9UL', 'cdDWJhqlLe', 'LCxW5hdVRc', 'lKGWQCb7Dw', 'rtsWMMaA31', 'WCBWv6m58n', 'tXgW2NjiP0'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, Qi6YAXr3JJxQHEJOwX.cs	High entropy of concatenated method names: 'I6rbPHpdcg', 'lqrbpapVWc', 'BAwiAZIgWm', 'ihViIrMFQL', 'Q6wb2LlNdL', 'ovJb3UmBOy', 'Mgkbo7uLR9', 'EfibGqh3Qy', 'Mwgb6dWLcp', 'EXSbDjlRNA'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, FDbgkrQ3SU5mkbEMng.cs	High entropy of concatenated method names: 'IwCZDIC5C7', 'pt3ZtNcFm4', 'S1bZh37YTd', 'ToString', 'avkZkla8sY', 'xmMZNnlXIG', 'h3XBrwKpNudXpIv8GP9', 'ljqkekKEfmJcjy3ydqL', 'hoqTInKGqFTXyx402IM'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, E5NHonJupZL7sg6rCY.cs	High entropy of concatenated method names: 'V9rZdLDgJ6', 'GfRZCtPJE2', 'S5SZXmiC88', 'gCJZxYfKyS', 'qcmZs1ljGN', 'xQrXhS8Wf8', 'xlZXkwwAvn', 'Re8XNVnPsA', 'cvJXPjbM8U', 'LoWXEsZs29'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, Ug65fMFbRObqE4krK9.cs	High entropy of concatenated method names: 'TFNbFhgyJQ', 'D2GbfOpQPf', 'ToString', 'URybTq1yGh', 'nqjbCXyAWl', 'pLgbLYNUHm', 'RpobXly94m', 'fOqbZkYf9u', 't4GbxV6jgv', 'QH3bsat7DN'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, iV67N53I7TqPJT6C9v.cs	High entropy of concatenated method names: 'uXNO71F3S', 'm2J8gQedm', 'T1YYlDyiG', 'MnUm9QhCt', 'DYK1RV06x', 'TlrVgHY08', 'MZqJfpkgl6Dircggcv', 'bunGMCZtsZ0ltNvJkf', 'DIxiLw5w9', 'n2CSrjylN'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, meQGsqRdplvgWpHZgm.cs	High entropy of concatenated method names: 'yP4IxqbZEe', 'bVEIsyWpuG', 'TiUIF1Lobf', 'dHXIfd3DOH', 'CUrIuupOTQ', 'GVeIB6ND8d', 'WMgnydJQLAagwfxI9p', 'cmBkslPtQl1WGHT0PD', 'OkBIILNOhX', 'GEXIlPSCgx'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, CBtRNvKNNuqPd0AOGJv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EOqS2LALr3', 'VrXS38VtHo', 'eIQSoLUvy6', 'aPfSGE1Rh6', 'cjtS6NVNXd', 'lbWSDSyDvu', 'UnyStSIjS4'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, xAFaraHMSBjMIaHTK6.cs	High entropy of concatenated method names: 'ToString', 'xxKB2nA4ju', 'BV1BRjYvDC', 'uDdB7avGEg', 'LDUBJVie5B', 'rGGB51GIb0', 'bjuBHTffWs', 'G3bBQ3N1Gs', 'BDcBMJJyN4', 'HO2B9RU5jC'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, Lg0Fj100kmv0AFJw3v.cs	High entropy of concatenated method names: 's9n4uNn2Jj', 'yyp4bm4f0s', 'gTk44cPTbp', 'vml4nCil3y', 'MNH4yoBKgt', 'A364gagCk6', 'Dispose', 'y8QiTIIIpO', 'IqXiCdLd35', 'mYfiLSMPiv'
Source: 0.2......scr.exe.44f98c8.3.raw.unpack, eRU05xzX1aYA8ffgRk.cs	High entropy of concatenated method names: 'fmoSY1Zavc', 'OFPSKlcuoK', 'QITS1P7DOL', 'sjRScRvn5w', 'QvqSRgQQmH', 'lGJSJtpxGN', 'bfvS5Toasi', 'VTESgNI7JP', 'UB9SafVRBk', 'yEPSqX3q8q'

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_004062E2 ShellExecuteW,URLDownloadToFileW,

2_2_004062E2

Source: C:\Users\user\Desktop\.....scr.exe

File created: C:\ProgramData\Adobe-Reader\Adobe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\.....scr.exe

File created: C:\ProgramData\Adobe-Reader\Adobe.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\.....scr.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-Reader-DTANWR

Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_0041AC43

Source: C:\Users\user\Desktop\.....scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-Reader-DTANWR	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-Reader-DTANWR	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-Reader-DTANWR	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-Reader-DTANWR	Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

2_2_0041D0CF

Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 5528, type: MEMORYSTR

Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: 18E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: 3330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: 91D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: A1D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: A3D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: B3D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 1280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 2D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 4D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 8990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 9990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: 9B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory allocated: AB80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

2_2_0041A941

Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Window / User API: threadDelayed 3988			Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Window / User API: threadDelayed 5798			Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe	Evaded block: after key decision	graph_2-47987
Source: C:\Users\user\Desktop\.....scr.exe	Evaded block: after key decision	graph_2-47828
Source: C:\Users\user\Desktop\.....scr.exe	Evaded block: after key decision	graph_2-47962

Source: C:\Users\user\Desktop\.....scr.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_2-47790

Source: C:\Users\user\Desktop\.....scr.exe

API coverage: 6.9 %

Source: C:\Users\user\Desktop\.....scr.exe TID: 5548	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 5996	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 348	Thread sleep count: 3988 > 30	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 348	Thread sleep time: -11964000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 7064	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 348	Thread sleep count: 5798 > 30	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 348	Thread sleep time: -17394000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	2_2_004090DC
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_0040B6B5
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	2_2_0041C7E5
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	2_2_0040B8BA
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0044E989 FindFirstFileExA,	2_2_0044E989
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	2_2_00408CDE
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,	2_2_00419CEE
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	2_2_00407EDD
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00406F13 FindFirstFileW,FindNextFileW,	2_2_00406F13
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_100010F1
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_10006580 FindFirstFileExA,	4_2_10006580

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

2_2_00407357

Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: Adobe.exe, 00000004.00000002.4509791383.00000000011FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWe8
Source: Adobe.exe, 00000004.00000002.4509791383.00000000011FC000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000004.00000002.4509656819.0000000001187000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_0043B88D

Source: C:\Users\user\Desktop\.....scr.exe

2_2_0041D0CF

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004438F4 mov eax, dword ptr fs:[00000030h]		2_2_004438F4
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_10004AB4 mov eax, dword ptr fs:[00000030h]		4_2_10004AB4

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00411999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,

2_2_00411999

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00435398
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0043B88D
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00434D6E
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00434F01 SetUnhandledExceptionFilter,	2_2_00434F01
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_100060E2
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_10002639
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Code function: 4_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_10002B1C

Source: C:\Users\user\Desktop\.....scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\.....scr.exe	Memory written: C:\Users\user\Desktop\.....scr.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\ProgramData\Adobe-Reader\Adobe.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: NULL target: unknown protection: execute and read and write			Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Section loaded: NULL target: unknown protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2685008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 263A008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 281C008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2AE6008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2642008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 3FC008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 3C3008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 3198008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 3170008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2962008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2AB0008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2632008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 27FE008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2957008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2DDE008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2702008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2727008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2EBA008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 2C0E008
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Memory written: C:\Windows\SysWOW64\recover.exe base: 272A008

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_004197D9 mouse_event,

2_2_004197D9

Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\Users\user\Desktop\.....scr.exe "C:\Users\user\Desktop\.....scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nsylwtlxiay"	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Process created: unknown unknown	Jump to behavior

Source: Adobe.exe, 00000004.00000002.4509791383.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Adobe.exe, 00000004.00000002.4509656819.0000000001187000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000004.00000002.4509791383.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000004.00000002.4509791383.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00435034 cpuid

2_2_00435034

Source: C:\Users\user\Desktop\.....scr.exe	Code function: EnumSystemLocalesW,	2_2_004520E2
Source: C:\Users\user\Desktop\.....scr.exe	Code function: EnumSystemLocalesW,	2_2_00452097
Source: C:\Users\user\Desktop\.....scr.exe	Code function: EnumSystemLocalesW,	2_2_0045217D
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoA,	2_2_0040F26B
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_0045220A
Source: C:\Users\user\Desktop\.....scr.exe	Code function: EnumSystemLocalesW,	2_2_0044844E
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoW,	2_2_0045245A
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00452583
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoW,	2_2_0045268A
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00452757
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoW,	2_2_00448937
Source: C:\Users\user\Desktop\.....scr.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_00451E1F

Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Users\user\Desktop\.....scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\ProgramData\Adobe-Reader\Adobe.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe-Reader\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041A1AD __EH_prolog,GdiplusStartup,CreateDirectoryW,Sleep,GetLocalTime,Sleep,

2_2_0041A1AD

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041BB0E GetUserNameW,

2_2_0041BB0E

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_004491DA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

2_2_004491DA

Source: C:\Users\user\Desktop\.....scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.43b3590.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4339970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.43b3590.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4339970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4509656819.0000000001187000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2080081154.0000000000BE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2079572873.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 5808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1268, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\.....scr.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

2_2_0040B59B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\.....scr.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		2_2_0040B6B5
Source: C:\Users\user\Desktop\.....scr.exe	Code function: \key3.db		2_2_0040B6B5

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.43b3590.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4339970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.43b3590.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4339970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4509656819.0000000001187000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2080081154.0000000000BE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2077752023.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2079572873.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 5808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1268, type: MEMORYSTR

Source: C:\Users\user\Desktop\.....scr.exe

Code function: cmd.exe

2_2_00405091

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	3 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	12 Software Packing	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	1 Timestomp	LSA Secrets	33 System Information Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	121 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Bypass User Account Control	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	31 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	312 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report .....scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
.....scr.exe