Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
.....scr.exe

Overview

General Information

Sample name:.....scr.exe
renamed because original name is a hash value
Original sample name:DELAY NOTICE-EVER BALMY 1129-081A (TPI2508A).xlsx.......................................................................................................................scr.exe
Analysis ID:1630674
MD5:03e91c0778ebaf19c339d8b3b0964700
SHA1:810b7423fdca5f805655ca1400588c5ce6b01184
SHA256:e8fa06add1e83397ada8e5d1816a8e9ae2b3f6e86ec3d4a1264436cee4a26e25
Tags:exeuser-threatcat_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
PE file contains section with special chars
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • .....scr.exe (PID: 6964 cmdline: "C:\Users\user\Desktop\.....scr.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
    • .....scr.exe (PID: 1744 cmdline: "C:\Users\user\Desktop\.....scr.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
      • Adobe.exe (PID: 3368 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
        • Adobe.exe (PID: 1620 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
        • Adobe.exe (PID: 2708 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
        • Adobe.exe (PID: 3384 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
          • recover.exe (PID: 3980 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nelsr" MD5: D38B657A068016768CA9F3B5E100B472)
          • recover.exe (PID: 4268 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pzrkjcre" MD5: D38B657A068016768CA9F3B5E100B472)
          • recover.exe (PID: 5328 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\abwdkucfrsrd" MD5: D38B657A068016768CA9F3B5E100B472)
  • Adobe.exe (PID: 7148 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
    • Adobe.exe (PID: 2800 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
    • Adobe.exe (PID: 1908 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
    • Adobe.exe (PID: 6916 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
  • Adobe.exe (PID: 5652 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
    • Adobe.exe (PID: 1852 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
  • Adobe.exe (PID: 5960 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
    • Adobe.exe (PID: 6964 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
    • Adobe.exe (PID: 4852 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
    • Adobe.exe (PID: 4564 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
    • Adobe.exe (PID: 7104 cmdline: "C:\ProgramData\Adobe-Reader\Adobe.exe" MD5: 03E91C0778EBAF19C339D8B3B0964700)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe-Reader-DTANWR", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobe-Reader", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6d758:$a1: Remcos restarted by watchdog!
        • 0x6dda8:$a3: %02i:%02i:%02i:%03i
        00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x679f4:$str_a1: C:\Windows\System32\cmd.exe
        • 0x67970:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x67970:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x67e70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x684d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x67a64:$str_b2: Executing file:
        • 0x6889c:$str_b3: GetDirectListeningPort
        • 0x682c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x68448:$str_b7: \update.vbs
        • 0x67a8c:$str_b9: Downloaded file:
        • 0x67a78:$str_b10: Downloading file:
        • 0x67b1c:$str_b12: Failed to upload file:
        • 0x68864:$str_b13: StartForward
        • 0x68884:$str_b14: StopForward
        • 0x683a0:$str_b15: fso.DeleteFile "
        • 0x68334:$str_b16: On Error Resume Next
        • 0x683d0:$str_b17: fso.DeleteFolder "
        • 0x67b0c:$str_b18: Uploaded file:
        • 0x67acc:$str_b19: Unable to delete:
        • 0x68368:$str_b20: while fso.FileExists("
        • 0x67fa9:$str_c0: [Firefox StoredLogins not found]
        Click to see the 45 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        10.2.Adobe.exe.46c4760.5.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          10.2.Adobe.exe.46c4760.5.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            10.2.Adobe.exe.46c4760.5.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              10.2.Adobe.exe.46c4760.5.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6a358:$a1: Remcos restarted by watchdog!
              • 0x6a9a8:$a3: %02i:%02i:%02i:%03i
              10.2.Adobe.exe.46c4760.5.unpackREMCOS_RAT_variantsunknownunknown
              • 0x645f4:$str_a1: C:\Windows\System32\cmd.exe
              • 0x64570:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64570:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64a70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x650d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x64664:$str_b2: Executing file:
              • 0x6549c:$str_b3: GetDirectListeningPort
              • 0x64ec8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x65048:$str_b7: \update.vbs
              • 0x6468c:$str_b9: Downloaded file:
              • 0x64678:$str_b10: Downloading file:
              • 0x6471c:$str_b12: Failed to upload file:
              • 0x65464:$str_b13: StartForward
              • 0x65484:$str_b14: StopForward
              • 0x64fa0:$str_b15: fso.DeleteFile "
              • 0x64f34:$str_b16: On Error Resume Next
              • 0x64fd0:$str_b17: fso.DeleteFolder "
              • 0x6470c:$str_b18: Uploaded file:
              • 0x646cc:$str_b19: Unable to delete:
              • 0x64f68:$str_b20: while fso.FileExists("
              • 0x64ba9:$str_c0: [Firefox StoredLogins not found]
              Click to see the 78 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe-Reader\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\.....scr.exe, ProcessId: 1744, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-Reader-DTANWR
              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe-Reader\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\.....scr.exe, ProcessId: 1744, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-Reader-DTANWR

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-06T06:49:23.512938+010020365941Malware Command and Control Activity Detected192.168.2.449734104.250.180.1787902TCP
              2025-03-06T06:49:25.606834+010020365941Malware Command and Control Activity Detected192.168.2.449736104.250.180.1787902TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-06T06:49:25.646153+010028033043Unknown Traffic192.168.2.449737178.237.33.5080TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000000.00000002.1780331373.00000000036B1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe-Reader-DTANWR", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobe-Reader", "Keylog folder": "remcos"}
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeReversingLabs: Detection: 28%
              Multi AV Scanner detection for submitted file
              Source: .....scr.exeVirustotal: Detection: 31%Perma Link
              Source: .....scr.exeReversingLabs: Detection: 28%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 10.2.Adobe.exe.46c4760.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.473e380.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b88fe0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.372f190.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.36b5570.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b0f3c0.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.372f190.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.473e380.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b88fe0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.46c4760.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b0f3c0.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.36b5570.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1777233842.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.1900115348.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.1978237807.000000000105A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2054321367.0000000000FCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1780331373.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4211294866.0000000001407000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1929313273.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.1989491891.0000000004B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: .....scr.exe PID: 6964, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: .....scr.exe PID: 1744, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 3384, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 7148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6916, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5652, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1852, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 7104, type: MEMORYSTR
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,2_2_00433B64
              Source: .....scr.exe, 00000000.00000002.1780331373.00000000036B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_dcb6b05d-5

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 10.2.Adobe.exe.46c4760.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.473e380.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b88fe0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.372f190.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.36b5570.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b0f3c0.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.372f190.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.473e380.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b88fe0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.46c4760.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b0f3c0.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.36b5570.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1780331373.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1929313273.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.1989491891.0000000004B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: .....scr.exe PID: 6964, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: .....scr.exe PID: 1744, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 7148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5652, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00406ABC _wcslen,CoGetObject,2_2_00406ABC
              Source: .....scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: .....scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: Adobe.exe, 00000006.00000002.4212976216.0000000004090000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000007.00000002.1856890737.0000000000400000.00000040.80000000.00040000.00000000.sdmp
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,2_2_004090DC
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040B6B5
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,2_2_0041C7E5
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040B8BA
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,2_2_00408CDE
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00419CEE
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,2_2_00407EDD
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00406F13 FindFirstFileW,FindNextFileW,2_2_00406F13
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 6_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_100010F1
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0040B477 FindFirstFileW,FindNextFileW,7_2_0040B477
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,8_2_00407EF8
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00407898
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00407357
              Source: C:\Users\user\Desktop\.....scr.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_00C81B68
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_00C81B67
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_07D1A6C0
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_07D1A6C8
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_080BDAC4
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_080BF13C
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_080BF2AC
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_080BF2AC
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_080BF2B8
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_080BF2B8
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 4x nop then xor edx, edx0_2_080BF505
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 4x nop then xor edx, edx0_2_080BF510
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_080BF5CD
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_080BF5CD
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_080BF5D8
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_080BF5D8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h3_2_018C1B68
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h3_2_018C1B15
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h3_2_018C1B4D
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h3_2_08ADDAC4
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h3_2_08ADF13C
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then push dword ptr [ebp-20h]3_2_08ADF2AC
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh3_2_08ADF2AC
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then push dword ptr [ebp-20h]3_2_08ADF2B8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh3_2_08ADF2B8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then push dword ptr [ebp-24h]3_2_08ADF5CD
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh3_2_08ADF5CD
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then push dword ptr [ebp-24h]3_2_08ADF5D8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh3_2_08ADF5D8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then xor edx, edx3_2_08ADF505
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then xor edx, edx3_2_08ADF510
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h10_2_011C1B68
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h10_2_011C1B15
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h10_2_011C1B4D
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h10_2_0861DAC4
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h10_2_0861F13C
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then push dword ptr [ebp-20h]10_2_0861F2AC
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh10_2_0861F2AC
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then push dword ptr [ebp-20h]10_2_0861F2B8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh10_2_0861F2B8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then xor edx, edx10_2_0861F505
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then xor edx, edx10_2_0861F510
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then push dword ptr [ebp-24h]10_2_0861F5CD
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh10_2_0861F5CD
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then push dword ptr [ebp-24h]10_2_0861F5D8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh10_2_0861F5D8

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49736 -> 104.250.180.178:7902
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49734 -> 104.250.180.178:7902
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 104.250.180.178
              Source: global trafficTCP traffic: 192.168.2.4:49734 -> 104.250.180.178:7902
              Source: global trafficTCP traffic: 192.168.2.4:50115 -> 162.159.36.2:53
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 104.250.180.178 104.250.180.178
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: M247GB M247GB
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49737 -> 178.237.33.50:80
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_004062E2 ShellExecuteW,URLDownloadToFileW,2_2_004062E2
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Adobe.exe, 00000006.00000002.4212976216.0000000004090000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000007.00000002.1856890737.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: Adobe.exe, 00000006.00000002.4212976216.0000000004090000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000007.00000002.1856890737.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: Adobe.exe, 00000006.00000002.4214397577.00000000044B0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1848595403.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: Adobe.exe, 00000006.00000002.4214397577.00000000044B0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1848595403.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: recover.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: recover.exe, 00000007.00000002.1857642807.000000000315D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000007.00000003.1856569834.000000000315D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: recover.exe, 00000007.00000002.1857642807.000000000315D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000007.00000003.1856569834.000000000315D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
              Source: global trafficDNS traffic detected: DNS query: 53.210.109.20.in-addr.arpa
              Source: bhv906D.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhv906D.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
              Source: bhv906D.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhv906D.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhv906D.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: .....scr.exe, Adobe.exe, 00000006.00000002.4211651943.0000000001464000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000006.00000002.4211651943.0000000001451000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: .....scr.exe, 00000000.00000002.1780331373.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, .....scr.exe, 00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Adobe.exe, 0000000A.00000002.1929313273.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000011.00000002.1989491891.0000000004B0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: Adobe.exe, 00000006.00000002.4211651943.0000000001451000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp9)
              Source: bhv906D.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0
              Source: .....scr.exe, 00000000.00000002.1776486626.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.1801007285.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000A.00000002.1903299374.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000011.00000002.1981846624.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000013.00000002.2062089631.0000000003221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Adobe.exe, 00000013.00000002.2062089631.0000000003221000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000013.00000002.2062089631.0000000003238000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/CRUDDataSet.xsd
              Source: .....scr.exe, 00000000.00000002.1776486626.0000000002B73000.00000004.00000800.00020000.00000000.sdmp, .....scr.exe, 00000000.00000002.1776486626.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.1801007285.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.1801007285.0000000003833000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000A.00000002.1903299374.00000000032E5000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000A.00000002.1903299374.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000011.00000002.1981846624.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000013.00000002.2062089631.0000000003221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/CRUDDataSet1.xsd
              Source: .....scr.exe, 00000000.00000002.1776486626.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.1801007285.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000A.00000002.1903299374.0000000002E02000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000011.00000002.1981846624.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000013.00000002.2062089631.0000000003238000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/CRUDDataSet1.xsd?0ZM
              Source: .....scr.exe, 00000000.00000002.1776486626.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.1801007285.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000A.00000002.1903299374.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000011.00000002.1981846624.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000013.00000002.2062089631.0000000003221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/CRUDDataSet1.xsdIData
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: Adobe.exe, 00000006.00000002.4214397577.00000000044B0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1848595403.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: .....scr.exe, 00000000.00000002.1775433418.0000000000C90000.00000004.00000020.00020000.00000000.sdmp, .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: Adobe.exe, 00000006.00000002.4214397577.00000000044B0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000003.1848379082.000000000370D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000002.1848595403.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000009.00000003.1848478061.000000000370D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: Adobe.exe, 00000006.00000002.4214397577.00000000044B0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1848595403.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: Adobe.exe, 00000006.00000002.4214397577.00000000044B0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000009.00000002.1848595403.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: recover.exe, 00000009.00000003.1848379082.000000000370D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000009.00000003.1848478061.000000000370D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comta
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: recover.exe, 00000007.00000002.1857114752.00000000009B3000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: recover.exe, 00000009.00000002.1848595403.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: .....scr.exe, 00000000.00000002.1796587490.0000000009362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: recover.exe, 00000007.00000002.1857335241.0000000000AA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.liv
              Source: recover.exe, 00000007.00000002.1857642807.000000000315D000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000007.00000003.1856569834.000000000315D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
              Source: recover.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: Adobe.exe, 00000006.00000002.4214397577.00000000044B0000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000009.00000002.1848595403.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: recover.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,000000002_2_00409D1E
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,2_2_0040B158
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_0041696E
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,7_2_00409E39
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,7_2_00409EA1
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,8_2_00406DFC
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,8_2_00406E9F
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,9_2_004068B5
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,9_2_004072B5
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard,2_2_0040B158
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,2_2_00409E4A
              Source: Yara matchFile source: 10.2.Adobe.exe.46c4760.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.473e380.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b88fe0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.372f190.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.36b5570.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b0f3c0.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.372f190.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.473e380.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b88fe0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.46c4760.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b0f3c0.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.36b5570.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1780331373.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1929313273.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.1989491891.0000000004B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: .....scr.exe PID: 6964, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: .....scr.exe PID: 1744, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 7148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5652, type: MEMORYSTR

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 10.2.Adobe.exe.46c4760.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.473e380.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b88fe0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.372f190.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.36b5570.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b0f3c0.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.372f190.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.473e380.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b88fe0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.46c4760.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b0f3c0.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.36b5570.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1777233842.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.1900115348.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.1978237807.000000000105A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2054321367.0000000000FCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1780331373.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4211294866.0000000001407000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1929313273.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.1989491891.0000000004B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: .....scr.exe PID: 6964, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: .....scr.exe PID: 1744, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 3384, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 7148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6916, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5652, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1852, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 7104, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0041CF2D SystemParametersInfoW,2_2_0041CF2D

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 10.2.Adobe.exe.46c4760.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 10.2.Adobe.exe.46c4760.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 10.2.Adobe.exe.46c4760.5.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 10.2.Adobe.exe.473e380.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 10.2.Adobe.exe.473e380.7.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 10.2.Adobe.exe.473e380.7.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 17.2.Adobe.exe.4b88fe0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 17.2.Adobe.exe.4b88fe0.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 17.2.Adobe.exe.4b88fe0.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2......scr.exe.372f190.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2......scr.exe.372f190.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2......scr.exe.372f190.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2......scr.exe.36b5570.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2......scr.exe.36b5570.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2......scr.exe.36b5570.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 17.2.Adobe.exe.4b0f3c0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 17.2.Adobe.exe.4b0f3c0.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 17.2.Adobe.exe.4b0f3c0.5.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2......scr.exe.372f190.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2......scr.exe.372f190.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 10.2.Adobe.exe.473e380.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 10.2.Adobe.exe.473e380.7.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 10.2.Adobe.exe.473e380.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 17.2.Adobe.exe.4b88fe0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 17.2.Adobe.exe.4b88fe0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 10.2.Adobe.exe.46c4760.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 10.2.Adobe.exe.46c4760.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 17.2.Adobe.exe.4b0f3c0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 17.2.Adobe.exe.4b0f3c0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2......scr.exe.36b5570.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2......scr.exe.36b5570.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000000.00000002.1780331373.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000A.00000002.1929313273.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000011.00000002.1989491891.0000000004B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: .....scr.exe PID: 6964, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: .....scr.exe PID: 1744, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: Adobe.exe PID: 7148, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: Adobe.exe PID: 5652, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              PE file contains section with special chars
              Source: .....scr.exeStatic PE information: section name: wQ-)8
              Source: Adobe.exe.2.drStatic PE information: section name: wQ-)8
              PE file has nameless sections
              Source: .....scr.exeStatic PE information: section name:
              Source: Adobe.exe.2.drStatic PE information: section name:
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,7_2_0040BAE3
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_004016FD NtdllDefWindowProc_A,8_2_004016FD
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_004017B7 NtdllDefWindowProc_A,8_2_004017B7
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00402CAC NtdllDefWindowProc_A,9_2_00402CAC
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00402D66 NtdllDefWindowProc_A,9_2_00402D66
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress,2_2_00416861
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C808DF0_2_00C808DF
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C828280_2_00C82828
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C83ABF0_2_00C83ABF
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C8AA240_2_00C8AA24
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C82B1F0_2_00C82B1F
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C830DA0_2_00C830DA
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C864A80_2_00C864A8
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C864A70_2_00C864A7
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C8274E0_2_00C8274E
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C827550_2_00C82755
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C858E90_2_00C858E9
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C858F80_2_00C858F8
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C86B090_2_00C86B09
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C86B180_2_00C86B18
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C81D970_2_00C81D97
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C86D090_2_00C86D09
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C86D180_2_00C86D18
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C86F810_2_00C86F81
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C86F900_2_00C86F90
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_024F1C180_2_024F1C18
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_024F1C090_2_024F1C09
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_025175400_2_02517540
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_025112A00_2_025112A0
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_0251752A0_2_0251752A
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_05E011000_2_05E01100
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_05E00CC80_2_05E00CC8
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_05E068B00_2_05E068B0
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_05E008900_2_05E00890
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_05E02BE00_2_05E02BE0
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_05E027A80_2_05E027A8
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_05E07A300_2_05E07A30
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_07D18B840_2_07D18B84
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_07D18B780_2_07D18B78
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_07D19B920_2_07D19B92
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_07D19BB20_2_07D19BB2
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_07D17A590_2_07D17A59
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_07D15A4C0_2_07D15A4C
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_07D17A680_2_07D17A68
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_07FAED700_2_07FAED70
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_07FAF1900_2_07FAF190
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_080BDC190_2_080BDC19
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_080B4C780_2_080B4C78
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_080B089F0_2_080B089F
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_080B08A00_2_080B08A0
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_080B4C680_2_080B4C68
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_09A308910_2_09A30891
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_09A32A780_2_09A32A78
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_09A3A3100_2_09A3A310
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_09A363500_2_09A36350
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_09A312080_2_09A31208
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_09A305F00_2_09A305F0
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_09A335380_2_09A33538
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_09A319C00_2_09A319C0
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_09A319D00_2_09A319D0
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_09A300120_2_09A30012
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_09A300400_2_09A30040
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_09A3C2100_2_09A3C210
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_09A305E10_2_09A305E1
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_09A307B20_2_09A307B2
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_09A316A80_2_09A316A8
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_09A316700_2_09A31670
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0042809D2_2_0042809D
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0045412B2_2_0045412B
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_004421C02_2_004421C0
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_004281D72_2_004281D7
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0043E1E02_2_0043E1E0
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0041E29B2_2_0041E29B
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_004373DA2_2_004373DA
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_004383802_2_00438380
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_004534722_2_00453472
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0042747E2_2_0042747E
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0043E43D2_2_0043E43D
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_004325A12_2_004325A1
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0043774C2_2_0043774C
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0041F8092_2_0041F809
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_004379F62_2_004379F6
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_004279F52_2_004279F5
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0044DAD92_2_0044DAD9
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00433C732_2_00433C73
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00413CA02_2_00413CA0
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00437CBD2_2_00437CBD
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0043DD822_2_0043DD82
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00435F522_2_00435F52
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00437F782_2_00437F78
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0043DFB12_2_0043DFB1
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C08D23_2_018C08D2
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C28283_2_018C2828
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C2B103_2_018C2B10
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C3AB23_2_018C3AB2
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018CAA243_2_018CAA24
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C30DA3_2_018C30DA
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C64983_2_018C6498
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C64A83_2_018C64A8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C274E3_2_018C274E
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C27553_2_018C2755
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C58E93_2_018C58E9
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C58F83_2_018C58F8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C6B093_2_018C6B09
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C6B183_2_018C6B18
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C1D873_2_018C1D87
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C6D093_2_018C6D09
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C6D183_2_018C6D18
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C6F813_2_018C6F81
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_018C6F903_2_018C6F90
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_03251C183_2_03251C18
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_03251C093_2_03251C09
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_032775403_2_03277540
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_032712A03_2_032712A0
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_032775333_2_03277533
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_069927A83_2_069927A8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_06992BE03_2_06992BE0
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_06997B703_2_06997B70
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0699088E3_2_0699088E
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_06990CC83_2_06990CC8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_069964383_2_06996438
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_069911003_2_06991100
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_08ADDC283_2_08ADDC28
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_08AD4C783_2_08AD4C78
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_08AD08A03_2_08AD08A0
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_08AD08203_2_08AD0820
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_08ADDC193_2_08ADDC19
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_08AD4C683_2_08AD4C68
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0A5D2A783_2_0A5D2A78
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0A5D08913_2_0A5D0891
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0A5D12083_2_0A5D1208
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0A5D62B83_2_0A5D62B8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0A5DA3103_2_0A5DA310
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0A5D35383_2_0A5D3538
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0A5D05F03_2_0A5D05F0
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0A5D19D03_2_0A5D19D0
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0A5D19C03_2_0A5D19C0
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0A5DC2783_2_0A5DC278
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0A5D00403_2_0A5D0040
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0A5D00063_2_0A5D0006
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0A5D16703_2_0A5D1670
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0A5D16A83_2_0A5D16A8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0A5D07B23_2_0A5D07B2
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0A5D05E13_2_0A5D05E1
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 6_2_100171946_2_10017194
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 6_2_1000B5C16_2_1000B5C1
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0044A0307_2_0044A030
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0040612B7_2_0040612B
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0043E13D7_2_0043E13D
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0044B1887_2_0044B188
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004422737_2_00442273
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0044D3807_2_0044D380
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0044A5F07_2_0044A5F0
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004125F67_2_004125F6
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004065BF7_2_004065BF
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004086CB7_2_004086CB
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004066BC7_2_004066BC
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0044D7607_2_0044D760
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00405A407_2_00405A40
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00449A407_2_00449A40
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00405AB17_2_00405AB1
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00405B227_2_00405B22
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0044ABC07_2_0044ABC0
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00405BB37_2_00405BB3
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00417C607_2_00417C60
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0044CC707_2_0044CC70
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00418CC97_2_00418CC9
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0044CDFB7_2_0044CDFB
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0044CDA07_2_0044CDA0
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0044AE207_2_0044AE20
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00415E3E7_2_00415E3E
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00437F3B7_2_00437F3B
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_004050388_2_00405038
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0041208C8_2_0041208C
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_004050A98_2_004050A9
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0040511A8_2_0040511A
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0043C13A8_2_0043C13A
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_004051AB8_2_004051AB
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_004493008_2_00449300
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0040D3228_2_0040D322
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044A4F08_2_0044A4F0
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0043A5AB8_2_0043A5AB
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_004136318_2_00413631
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_004466908_2_00446690
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044A7308_2_0044A730
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_004398D88_2_004398D8
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_004498E08_2_004498E0
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044A8868_2_0044A886
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0043DA098_2_0043DA09
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00438D5E8_2_00438D5E
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00449ED08_2_00449ED0
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0041FE838_2_0041FE83
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00430F548_2_00430F54
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004050C29_2_004050C2
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004014AB9_2_004014AB
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004051339_2_00405133
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004051A49_2_004051A4
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004012469_2_00401246
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_0040CA469_2_0040CA46
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004052359_2_00405235
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004032C89_2_004032C8
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004016899_2_00401689
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00402F609_2_00402F60
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C282810_2_011C2828
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C08D210_2_011C08D2
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011CAA2410_2_011CAA24
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C3AB210_2_011C3AB2
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011CE02010_2_011CE020
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C30DA10_2_011C30DA
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C649810_2_011C6498
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C64A810_2_011C64A8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C275510_2_011C2755
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C274E10_2_011C274E
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C58F810_2_011C58F8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C58E910_2_011C58E9
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C6B1810_2_011C6B18
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C2B1010_2_011C2B10
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C6B0910_2_011C6B09
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C6D1810_2_011C6D18
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C6D0910_2_011C6D09
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C1D8710_2_011C1D87
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C6F9010_2_011C6F90
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_011C6F8110_2_011C6F81
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_04E61C1810_2_04E61C18
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_04E61C0910_2_04E61C09
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_04E8754010_2_04E87540
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_04E8753310_2_04E87533
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_04E812A010_2_04E812A0
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_065B2BE010_2_065B2BE0
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_065B27A810_2_065B27A8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_065B643810_2_065B6438
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_065B0CC810_2_065B0CC8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_065B110010_2_065B1100
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_085BED7010_2_085BED70
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_085BF19010_2_085BF190
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_085BF98010_2_085BF980
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0861DBD510_2_0861DBD5
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_08614C7810_2_08614C78
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0861082010_2_08610820
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_086108A010_2_086108A0
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_08614C6810_2_08614C68
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0861DC1910_2_0861DC19
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A152A7810_2_0A152A78
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A15089110_2_0A150891
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A15121810_2_0A151218
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A15A31010_2_0A15A310
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A15635010_2_0A156350
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A15353810_2_0A153538
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A1505F010_2_0A1505F0
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A1519D010_2_0A1519D0
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A1519C010_2_0A1519C0
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A15120810_2_0A151208
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A15C26810_2_0A15C268
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A15000610_2_0A150006
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A15004010_2_0A150040
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A15167010_2_0A151670
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A1516A810_2_0A1516A8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A1507B210_2_0A1507B2
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A1507D810_2_0A1507D8
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 10_2_0A1505E110_2_0A1505E1
              Source: C:\Users\user\Desktop\.....scr.exeCode function: String function: 004351E0 appears 55 times
              Source: C:\Users\user\Desktop\.....scr.exeCode function: String function: 00434ACF appears 43 times
              Source: C:\Users\user\Desktop\.....scr.exeCode function: String function: 00401F96 appears 49 times
              Source: C:\Users\user\Desktop\.....scr.exeCode function: String function: 00401EBF appears 32 times
              Source: C:\Users\user\Desktop\.....scr.exeCode function: String function: 00402117 appears 39 times
              Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 0044DDB0 appears 33 times
              Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00418555 appears 34 times
              Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 004186B6 appears 58 times
              Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 004188FE appears 88 times
              Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00422297 appears 42 times
              Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 00413025 appears 79 times
              Source: .....scr.exe, 00000000.00000002.1774075595.00000000008FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs .....scr.exe
              Source: .....scr.exe, 00000000.00000002.1776486626.0000000002717000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs .....scr.exe
              Source: .....scr.exe, 00000000.00000002.1776486626.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs .....scr.exe
              Source: .....scr.exe, 00000000.00000002.1799259553.000000000A390000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs .....scr.exe
              Source: .....scr.exe, 00000000.00000000.1742547812.000000000035C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameROoq.exe4 vs .....scr.exe
              Source: .....scr.exe, 00000000.00000002.1775653468.00000000024C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs .....scr.exe
              Source: .....scr.exe, 00000002.00000002.1777233842.0000000000EE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileNameW vs .....scr.exe
              Source: .....scr.exeBinary or memory string: OriginalFilenameROoq.exe4 vs .....scr.exe
              Source: .....scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 10.2.Adobe.exe.46c4760.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 10.2.Adobe.exe.46c4760.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 10.2.Adobe.exe.46c4760.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 10.2.Adobe.exe.473e380.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 10.2.Adobe.exe.473e380.7.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 10.2.Adobe.exe.473e380.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 17.2.Adobe.exe.4b88fe0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 17.2.Adobe.exe.4b88fe0.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 17.2.Adobe.exe.4b88fe0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2......scr.exe.372f190.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2......scr.exe.372f190.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2......scr.exe.372f190.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2......scr.exe.36b5570.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2......scr.exe.36b5570.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2......scr.exe.36b5570.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 17.2.Adobe.exe.4b0f3c0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 17.2.Adobe.exe.4b0f3c0.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 17.2.Adobe.exe.4b0f3c0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2......scr.exe.372f190.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2......scr.exe.372f190.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 10.2.Adobe.exe.473e380.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 10.2.Adobe.exe.473e380.7.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 10.2.Adobe.exe.473e380.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 17.2.Adobe.exe.4b88fe0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 17.2.Adobe.exe.4b88fe0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 10.2.Adobe.exe.46c4760.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 10.2.Adobe.exe.46c4760.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 17.2.Adobe.exe.4b0f3c0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 17.2.Adobe.exe.4b0f3c0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2......scr.exe.36b5570.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2......scr.exe.36b5570.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000000.00000002.1780331373.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000A.00000002.1929313273.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000011.00000002.1989491891.0000000004B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: .....scr.exe PID: 6964, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: .....scr.exe PID: 1744, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: Adobe.exe PID: 7148, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: Adobe.exe PID: 5652, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: .....scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: Adobe.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: .....scr.exeStatic PE information: Section: wQ-)8 ZLIB complexity 1.0003868508454106
              Source: Adobe.exe.2.drStatic PE information: Section: wQ-)8 ZLIB complexity 1.0003868508454106
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, GwrZg4a2Re6bu4c1QO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, GwrZg4a2Re6bu4c1QO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2......scr.exe.a390000.6.raw.unpack, KcpCqvHULqwe06QwQJ.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.2......scr.exe.a390000.6.raw.unpack, KcpCqvHULqwe06QwQJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2......scr.exe.a390000.6.raw.unpack, KcpCqvHULqwe06QwQJ.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
              Source: 0.2......scr.exe.4289600.3.raw.unpack, GwrZg4a2Re6bu4c1QO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2......scr.exe.4289600.3.raw.unpack, GwrZg4a2Re6bu4c1QO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2......scr.exe.4289600.3.raw.unpack, KcpCqvHULqwe06QwQJ.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.2......scr.exe.4289600.3.raw.unpack, KcpCqvHULqwe06QwQJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2......scr.exe.4289600.3.raw.unpack, KcpCqvHULqwe06QwQJ.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
              Source: 0.2......scr.exe.a390000.6.raw.unpack, GwrZg4a2Re6bu4c1QO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2......scr.exe.a390000.6.raw.unpack, GwrZg4a2Re6bu4c1QO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, KcpCqvHULqwe06QwQJ.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, KcpCqvHULqwe06QwQJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, KcpCqvHULqwe06QwQJ.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
              Source: .....scr.exe, 00000000.00000002.1796398549.00000000081F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Reserved.slnt
              Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@36/7@3/2
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,7_2_0041A225
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_00417AD9
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,9_2_00410DE1
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0041A6AF GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,7_2_0041A6AF
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0040C03C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,2_2_0040C03C
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0041B9AB FindResourceA,LoadResource,LockResource,SizeofResource,2_2_0041B9AB
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_0041AC43
              Source: C:\Users\user\Desktop\.....scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\.....scr.exe.logJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMutant created: NULL
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMutant created: \Sessions\1\BaseNamedObjects\Adobe-Reader-DTANWR
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
              Source: C:\Windows\SysWOW64\recover.exeFile created: C:\Users\user\AppData\Local\Temp\bhv906D.tmpJump to behavior
              Source: .....scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
              Source: C:\Windows\SysWOW64\recover.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Adobe.exe, 00000006.00000002.4212976216.0000000004090000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000007.00000002.1856890737.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: recover.exe, recover.exe, 00000008.00000002.1846599855.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: Adobe.exe, 00000006.00000002.4212976216.0000000004090000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000007.00000002.1856890737.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: Adobe.exe, 00000006.00000002.4212976216.0000000004090000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000007.00000002.1856890737.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: Adobe.exe, 00000006.00000002.4212976216.0000000004090000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000007.00000002.1856890737.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: Adobe.exe, 00000006.00000002.4212976216.0000000004090000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000007.00000002.1856890737.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: recover.exe, 00000007.00000002.1857798107.000000000493A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: Adobe.exe, 00000006.00000002.4212976216.0000000004090000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000007.00000002.1856890737.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: .....scr.exeVirustotal: Detection: 31%
              Source: .....scr.exeReversingLabs: Detection: 28%
              Source: C:\Users\user\Desktop\.....scr.exeFile read: C:\Users\user\Desktop\.....scr.exeJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
              Source: unknownProcess created: C:\Users\user\Desktop\.....scr.exe "C:\Users\user\Desktop\.....scr.exe"
              Source: C:\Users\user\Desktop\.....scr.exeProcess created: C:\Users\user\Desktop\.....scr.exe "C:\Users\user\Desktop\.....scr.exe"
              Source: C:\Users\user\Desktop\.....scr.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nelsr"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pzrkjcre"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\abwdkucfrsrd"
              Source: unknownProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: unknownProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: unknownProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\Users\user\Desktop\.....scr.exeProcess created: C:\Users\user\Desktop\.....scr.exe "C:\Users\user\Desktop\.....scr.exe"Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe" Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nelsr"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pzrkjcre"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\abwdkucfrsrd"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: iconcodecservice.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: twext.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: starttiledata.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: acppage.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: msi.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: aepic.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: profapi.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: amsi.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: userenv.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: iconcodecservice.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: winmm.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: wininet.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: netutils.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: profapi.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: profapi.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: amsi.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: userenv.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: iconcodecservice.dllJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: winmm.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: urlmon.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: wininet.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: iertutil.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: srvcli.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: netutils.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: iphlpapi.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: mscoree.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: version.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: uxtheme.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: windows.storage.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: wldp.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: profapi.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: cryptsp.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: rsaenh.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: cryptbase.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: dwrite.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: windowscodecs.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: amsi.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: userenv.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: msasn1.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: gpapi.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: textshaping.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: iconcodecservice.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: winmm.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: urlmon.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: wininet.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: iertutil.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: srvcli.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: netutils.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: iphlpapi.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: mscoree.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: version.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: uxtheme.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: windows.storage.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: wldp.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: profapi.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: cryptsp.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: rsaenh.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: cryptbase.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: dwrite.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: windowscodecs.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: amsi.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: userenv.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: msasn1.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: gpapi.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: textshaping.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: iconcodecservice.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: winmm.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: urlmon.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: wininet.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: iertutil.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: srvcli.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: netutils.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: iphlpapi.dll
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\Desktop\.....scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\.....scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: .....scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: .....scr.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: .....scr.exeStatic file information: File size 1419776 > 1048576
              Source: .....scr.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x13ea00
              Source: .....scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: Adobe.exe, 00000006.00000002.4212976216.0000000004090000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000007.00000002.1856890737.0000000000400000.00000040.80000000.00040000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: 0.2......scr.exe.a390000.6.raw.unpack, KcpCqvHULqwe06QwQJ.cs.Net Code: DBc7wUe8uo System.Reflection.Assembly.Load(byte[])
              Source: 0.2......scr.exe.4289600.3.raw.unpack, KcpCqvHULqwe06QwQJ.cs.Net Code: DBc7wUe8uo System.Reflection.Assembly.Load(byte[])
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, KcpCqvHULqwe06QwQJ.cs.Net Code: DBc7wUe8uo System.Reflection.Assembly.Load(byte[])
              Source: .....scr.exeStatic PE information: 0xDB5934C7 [Tue Aug 13 05:55:19 2086 UTC]
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_0041D0CF
              Source: .....scr.exeStatic PE information: section name: wQ-)8
              Source: .....scr.exeStatic PE information: section name:
              Source: Adobe.exe.2.drStatic PE information: section name: wQ-)8
              Source: Adobe.exe.2.drStatic PE information: section name:
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C8444C push esp; ret 0_2_00C8444D
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C80538 pushad ; ret 0_2_00C80552
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C83FFC push esp; ret 0_2_00C83FFD
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_024F45B0 pushfd ; iretd 0_2_024F45D5
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_024F3980 pushfd ; iretd 0_2_024F45D5
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_0251F7D8 push esp; ret 0_2_0251F7E9
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_02519D52 push 8B000001h; iretd 0_2_02519D74
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_02519D7F push 8B000001h; iretd 0_2_02519D85
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_07D18B32 push edi; retf 0_2_07D18B33
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_07D19730 push edi; retf 0_2_07D1973E
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_07D19632 push edi; retf 0_2_07D1973E
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_004570CF push ecx; ret 2_2_004570E2
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00435226 push ecx; ret 2_2_00435239
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00457A00 push eax; ret 2_2_00457A1E
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_0327F7D8 push esp; ret 3_2_0327F7E9
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_03279D7F push 8B000001h; iretd 3_2_03279D85
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 3_2_03279D52 push 8B000001h; iretd 3_2_03279D74
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 6_2_10002806 push ecx; ret 6_2_10002819
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 6_2_10009FD8 push esi; ret 6_2_10009FD9
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00446B75 push ecx; ret 7_2_00446B85
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_00452BB4 push eax; ret 7_2_00452BC1
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0044DDB0 push eax; ret 7_2_0044DDC4
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0044DDB0 push eax; ret 7_2_0044DDEC
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044B090 push eax; ret 8_2_0044B0A4
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_0044B090 push eax; ret 8_2_0044B0CC
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00444E71 push ecx; ret 8_2_00444E81
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00414060 push eax; ret 9_2_00414074
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00414060 push eax; ret 9_2_0041409C
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00414039 push ecx; ret 9_2_00414049
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_004164EB push 0000006Ah; retf 9_2_004165C4
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00416553 push 0000006Ah; retf 9_2_004165C4
              Source: .....scr.exeStatic PE information: section name: wQ-)8 entropy: 7.99806966636687
              Source: .....scr.exeStatic PE information: section name: .text entropy: 7.950716222869888
              Source: Adobe.exe.2.drStatic PE information: section name: wQ-)8 entropy: 7.99806966636687
              Source: Adobe.exe.2.drStatic PE information: section name: .text entropy: 7.950716222869888
              Source: 0.2......scr.exe.a390000.6.raw.unpack, OQCcOgMPkhuSnld9W2.csHigh entropy of concatenated method names: 'A6oqaRq2ct', 'licqrl6WmI', 'KurqTKs3nD', 'WbLqNh66GN', 'wVyq5pEpdT', 'EFkqALKVYT', 'Dr2qR5pHE5', 'n3rqIeN20Q', 'JUEq1pUeKI', 'ILSqCZePpw'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, Q4NQHOUEpnOiQYnjW5.csHigh entropy of concatenated method names: 'lsOJ65MgSD', 'xKQJuHPXZ4', 'QZYlVGusJm', 'lXhlQM6py2', 'f3EJC8G7vl', 'zVQJfR9Th5', 'IxxJMP4sUB', 'bMhJ2Jhw5C', 'OYMJOeCUoT', 'Eq0J8E17eb'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, D72KEJQ7FyPedRaEGcB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ziBsKny55Q', 'kyKshbJD13', 'eC8sp1DVc2', 'ALbss5XZfW', 'pmNsPZmJwd', 'xtssniBUPT', 'kUWs0qlMLx'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, fTr1pjQVOk08C6mvbUM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mDmhCmJvru', 'A3IhfsV4Fs', 'LPEhMqmvNh', 'MS1h2MnrMZ', 'juUhOHYTlj', 'EDGh8F0O0E', 'Dp2hLpAk8o'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, uXdfjoT3ex2DBcTUk8.csHigh entropy of concatenated method names: 'BYNFygtiwY', 't4qFXddoK6', 'dd5FgvERoM', 'kcJFejuRgM', 'kuHFHvhVVi', 'ajfgkZUpCh', 'dJYgUw33mx', 'n1UgjDguts', 'cfdg6XqqTd', 'Xm7gdpkQgv'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, eQeYThRPLUkVTtWjuV.csHigh entropy of concatenated method names: 'ya8eB3UJve', 'j4EeG8v9cS', 'NDHeFep1P1', 'eWgFuKagu9', 'DPQFz5b26s', 'rnSeVuAnhu', 'AvTeQDLbqi', 'BCNeEhoBWW', 'dsDec837r3', 'Yoje7bvpH5'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, inT4xyLsOSe7ir6xFN.csHigh entropy of concatenated method names: 'jauJWpSK1y', 'fmMJtkZC1e', 'ToString', 'BwiJBrXJdn', 'iLEJXGNKrG', 'aJaJGcn7gV', 'ID2JgwR1dQ', 'pm7JFipDWn', 'eSZJePGweK', 'hD7JHGOGXM'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, zB5ecj8MTrQaAoqbAr.csHigh entropy of concatenated method names: 'ToString', 'mNyiCgZBhR', 't2DiNHwyvX', 'z2dib42rEO', 'DsCi5scfhg', 'hJqiAwRbRk', 'QwViY65A7p', 'kumiR7qgBb', 'tD0iIbXhLv', 'uBwivbUrrC'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, tO5YKrjAT7TNqNUb3A.csHigh entropy of concatenated method names: 'tbCK4Drjw2', 'OLlKJbuhJ4', 'iPLKKBQ7k2', 'bcNKptW8k2', 'sFKKPhRXbK', 'MyaK0H7pn8', 'Dispose', 'xE7lBiljTi', 'bPElX2rMyK', 'stTlG3FWNb'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, GwrZg4a2Re6bu4c1QO.csHigh entropy of concatenated method names: 'RRuX29VPUl', 'lm2XOKA4ZB', 'wiaX8YxQg7', 'dZVXLRpJNL', 'BaqXkjIFOt', 'jo9XUIRmcJ', 'Nc9XjhPAjD', 'N1nX6rZlRR', 'LpsXdXTtxC', 'xEPXujQ7io'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, tbjd2fXFluN1kub0yG.csHigh entropy of concatenated method names: 'Dispose', 'dTNQdqNUb3', 'vYIENjwcdM', 'DVLOoVZxn3', 'J2dQuDg6V1', 'L8MQz43vYu', 'ProcessDialogKey', 'PaaEVSiH1K', 'T9WEQBs4fV', 'bjTEEi18aL'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, C3FZFP5GOCKJMGFNlG.csHigh entropy of concatenated method names: 'ROOF0iv9I8', 'aluFoKBwE5', 'xtGFwJVvjW', 'FgVFm7gMpx', 'TKIFxvhWNA', 'cJpF3kDFAd', 'F26Frsb9vY', 'SsIFZslx56', 'zQeB6kNyMGl1bJU4c63', 'EK0mhJNhb6kqTIlde4U'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, VEChENEpET4Hh1EuAq.csHigh entropy of concatenated method names: 'fWLwNDNA9', 'qinmjDD0F', 'UAbxa3o5F', 'fCi3Gj8jY', 'wHArwd4Gl', 'dlUZAfknT', 'hvuq5KDYsOLxPUv32m', 'YF4WYgKpY4XKS6jjyo', 'uI5lIEjLB', 'CYQhENFjN'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, fbRgBKQQ9usijGGfqJW.csHigh entropy of concatenated method names: 'uSThuPUF4V', 'Xl6hzOyAHY', 'tw3pV3GoqC', 'oFXpQSwgjf', 'Fk6pE2JlEZ', 'yWepcp5M3t', 'ndhp7vu7CH', 'TeBpykHx7p', 'KCEpB3MtWp', 'q1DpX9HJyB'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, JKga8E7AGix0jkZaZF.csHigh entropy of concatenated method names: 'HOTQewrZg4', 'RReQH6bu4c', 'pluQWWpAEf', 'TQPQt8Y0hF', 'Cn1Q4f7sXd', 'PjoQi3ex2D', 'qyBO2rVylJvU5Qdbll', 'WP2HFZ2dArGnfpNcck', 'AMDQQcJ8wR', 'm42QcmBERI'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, wUEjqsGH1vxfO5QDwF.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TXREdI8AJa', 'aWHEuSWYB9', 'sL8EzwX9hD', 'r6XcVXikNW', 'Q5ncQjYmQx', 'RCDcEC2wiX', 'VXbccNSmXI', 'OkUwLkYME5qwfCsIJRo'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, KcpCqvHULqwe06QwQJ.csHigh entropy of concatenated method names: 'ckAcycg3XY', 'QQScBSZjJS', 'abPcXEinTq', 'yBkcGSaxq6', 'sg6cgPC1aW', 'jlscFeqv1y', 'N3YcetbKXM', 'aqgcHlIVMi', 'j4DcSntmUd', 'jqDcWaiKHp'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, Oihl5irluWpAEfkQP8.csHigh entropy of concatenated method names: 'EHPGmCaCv8', 'RbMGx45PTr', 'Dj1GaYj0YO', 'nWTGrIqZqx', 'cYYG4nZek7', 'gYdGi19ggv', 'WJDGJnjyRg', 'cOHGlyW5G2', 'rggGK7T7SO', 'Ir3GhSOkpO'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, SUie1s21aIAZQ4CDCp.csHigh entropy of concatenated method names: 'Qwq41YpUqM', 'fOJ4f7SG87', 'zWg42Y5ysO', 'T6A4OmFef7', 'IlY4N2ce7d', 'E4C4btN7wr', 'uJ145LVfO0', 'TOO4A1alnm', 'BQq4YjDrOV', 'act4R0swXb'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, ciBCiovaw0rbPrcfrR.csHigh entropy of concatenated method names: 'tD6eo9bxxQ', 'MaMe9q68pn', 'Ed2ewdb1iA', 'jbaemUDrsR', 'LdBeDVaDK0', 'WHKexKbaNY', 'A5oe3WEbuZ', 'SCSeaAxvsr', 'bxWerLyfKN', 'xPyeZt348x'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, DSiH1Kd89WBs4fVQjT.csHigh entropy of concatenated method names: 'Gd2KTuy857', 's0VKNjAKb6', 'kFGKbb65DO', 'tLPK5f9wKt', 'e9uKAxjk8T', 'T3uKYQ4vwr', 'j8RKRGiNfK', 'lCDKIneXLP', 'JbSKvf6pqq', 'jjEK1hny5B'
              Source: 0.2......scr.exe.a390000.6.raw.unpack, p18aLHuhM3dqSreK5q.csHigh entropy of concatenated method names: 'MWnhGBH0uj', 'Bt4hgQIxHJ', 'zvwhF8c9OV', 'tm7hejGu3v', 'FsnhKLjgRZ', 'BflhHD5JfI', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, OQCcOgMPkhuSnld9W2.csHigh entropy of concatenated method names: 'A6oqaRq2ct', 'licqrl6WmI', 'KurqTKs3nD', 'WbLqNh66GN', 'wVyq5pEpdT', 'EFkqALKVYT', 'Dr2qR5pHE5', 'n3rqIeN20Q', 'JUEq1pUeKI', 'ILSqCZePpw'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, Q4NQHOUEpnOiQYnjW5.csHigh entropy of concatenated method names: 'lsOJ65MgSD', 'xKQJuHPXZ4', 'QZYlVGusJm', 'lXhlQM6py2', 'f3EJC8G7vl', 'zVQJfR9Th5', 'IxxJMP4sUB', 'bMhJ2Jhw5C', 'OYMJOeCUoT', 'Eq0J8E17eb'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, D72KEJQ7FyPedRaEGcB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ziBsKny55Q', 'kyKshbJD13', 'eC8sp1DVc2', 'ALbss5XZfW', 'pmNsPZmJwd', 'xtssniBUPT', 'kUWs0qlMLx'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, fTr1pjQVOk08C6mvbUM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mDmhCmJvru', 'A3IhfsV4Fs', 'LPEhMqmvNh', 'MS1h2MnrMZ', 'juUhOHYTlj', 'EDGh8F0O0E', 'Dp2hLpAk8o'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, uXdfjoT3ex2DBcTUk8.csHigh entropy of concatenated method names: 'BYNFygtiwY', 't4qFXddoK6', 'dd5FgvERoM', 'kcJFejuRgM', 'kuHFHvhVVi', 'ajfgkZUpCh', 'dJYgUw33mx', 'n1UgjDguts', 'cfdg6XqqTd', 'Xm7gdpkQgv'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, eQeYThRPLUkVTtWjuV.csHigh entropy of concatenated method names: 'ya8eB3UJve', 'j4EeG8v9cS', 'NDHeFep1P1', 'eWgFuKagu9', 'DPQFz5b26s', 'rnSeVuAnhu', 'AvTeQDLbqi', 'BCNeEhoBWW', 'dsDec837r3', 'Yoje7bvpH5'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, inT4xyLsOSe7ir6xFN.csHigh entropy of concatenated method names: 'jauJWpSK1y', 'fmMJtkZC1e', 'ToString', 'BwiJBrXJdn', 'iLEJXGNKrG', 'aJaJGcn7gV', 'ID2JgwR1dQ', 'pm7JFipDWn', 'eSZJePGweK', 'hD7JHGOGXM'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, zB5ecj8MTrQaAoqbAr.csHigh entropy of concatenated method names: 'ToString', 'mNyiCgZBhR', 't2DiNHwyvX', 'z2dib42rEO', 'DsCi5scfhg', 'hJqiAwRbRk', 'QwViY65A7p', 'kumiR7qgBb', 'tD0iIbXhLv', 'uBwivbUrrC'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, tO5YKrjAT7TNqNUb3A.csHigh entropy of concatenated method names: 'tbCK4Drjw2', 'OLlKJbuhJ4', 'iPLKKBQ7k2', 'bcNKptW8k2', 'sFKKPhRXbK', 'MyaK0H7pn8', 'Dispose', 'xE7lBiljTi', 'bPElX2rMyK', 'stTlG3FWNb'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, GwrZg4a2Re6bu4c1QO.csHigh entropy of concatenated method names: 'RRuX29VPUl', 'lm2XOKA4ZB', 'wiaX8YxQg7', 'dZVXLRpJNL', 'BaqXkjIFOt', 'jo9XUIRmcJ', 'Nc9XjhPAjD', 'N1nX6rZlRR', 'LpsXdXTtxC', 'xEPXujQ7io'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, tbjd2fXFluN1kub0yG.csHigh entropy of concatenated method names: 'Dispose', 'dTNQdqNUb3', 'vYIENjwcdM', 'DVLOoVZxn3', 'J2dQuDg6V1', 'L8MQz43vYu', 'ProcessDialogKey', 'PaaEVSiH1K', 'T9WEQBs4fV', 'bjTEEi18aL'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, C3FZFP5GOCKJMGFNlG.csHigh entropy of concatenated method names: 'ROOF0iv9I8', 'aluFoKBwE5', 'xtGFwJVvjW', 'FgVFm7gMpx', 'TKIFxvhWNA', 'cJpF3kDFAd', 'F26Frsb9vY', 'SsIFZslx56', 'zQeB6kNyMGl1bJU4c63', 'EK0mhJNhb6kqTIlde4U'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, VEChENEpET4Hh1EuAq.csHigh entropy of concatenated method names: 'fWLwNDNA9', 'qinmjDD0F', 'UAbxa3o5F', 'fCi3Gj8jY', 'wHArwd4Gl', 'dlUZAfknT', 'hvuq5KDYsOLxPUv32m', 'YF4WYgKpY4XKS6jjyo', 'uI5lIEjLB', 'CYQhENFjN'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, fbRgBKQQ9usijGGfqJW.csHigh entropy of concatenated method names: 'uSThuPUF4V', 'Xl6hzOyAHY', 'tw3pV3GoqC', 'oFXpQSwgjf', 'Fk6pE2JlEZ', 'yWepcp5M3t', 'ndhp7vu7CH', 'TeBpykHx7p', 'KCEpB3MtWp', 'q1DpX9HJyB'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, JKga8E7AGix0jkZaZF.csHigh entropy of concatenated method names: 'HOTQewrZg4', 'RReQH6bu4c', 'pluQWWpAEf', 'TQPQt8Y0hF', 'Cn1Q4f7sXd', 'PjoQi3ex2D', 'qyBO2rVylJvU5Qdbll', 'WP2HFZ2dArGnfpNcck', 'AMDQQcJ8wR', 'm42QcmBERI'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, wUEjqsGH1vxfO5QDwF.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TXREdI8AJa', 'aWHEuSWYB9', 'sL8EzwX9hD', 'r6XcVXikNW', 'Q5ncQjYmQx', 'RCDcEC2wiX', 'VXbccNSmXI', 'OkUwLkYME5qwfCsIJRo'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, KcpCqvHULqwe06QwQJ.csHigh entropy of concatenated method names: 'ckAcycg3XY', 'QQScBSZjJS', 'abPcXEinTq', 'yBkcGSaxq6', 'sg6cgPC1aW', 'jlscFeqv1y', 'N3YcetbKXM', 'aqgcHlIVMi', 'j4DcSntmUd', 'jqDcWaiKHp'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, Oihl5irluWpAEfkQP8.csHigh entropy of concatenated method names: 'EHPGmCaCv8', 'RbMGx45PTr', 'Dj1GaYj0YO', 'nWTGrIqZqx', 'cYYG4nZek7', 'gYdGi19ggv', 'WJDGJnjyRg', 'cOHGlyW5G2', 'rggGK7T7SO', 'Ir3GhSOkpO'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, SUie1s21aIAZQ4CDCp.csHigh entropy of concatenated method names: 'Qwq41YpUqM', 'fOJ4f7SG87', 'zWg42Y5ysO', 'T6A4OmFef7', 'IlY4N2ce7d', 'E4C4btN7wr', 'uJ145LVfO0', 'TOO4A1alnm', 'BQq4YjDrOV', 'act4R0swXb'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, ciBCiovaw0rbPrcfrR.csHigh entropy of concatenated method names: 'tD6eo9bxxQ', 'MaMe9q68pn', 'Ed2ewdb1iA', 'jbaemUDrsR', 'LdBeDVaDK0', 'WHKexKbaNY', 'A5oe3WEbuZ', 'SCSeaAxvsr', 'bxWerLyfKN', 'xPyeZt348x'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, DSiH1Kd89WBs4fVQjT.csHigh entropy of concatenated method names: 'Gd2KTuy857', 's0VKNjAKb6', 'kFGKbb65DO', 'tLPK5f9wKt', 'e9uKAxjk8T', 'T3uKYQ4vwr', 'j8RKRGiNfK', 'lCDKIneXLP', 'JbSKvf6pqq', 'jjEK1hny5B'
              Source: 0.2......scr.exe.4289600.3.raw.unpack, p18aLHuhM3dqSreK5q.csHigh entropy of concatenated method names: 'MWnhGBH0uj', 'Bt4hgQIxHJ', 'zvwhF8c9OV', 'tm7hejGu3v', 'FsnhKLjgRZ', 'BflhHD5JfI', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, OQCcOgMPkhuSnld9W2.csHigh entropy of concatenated method names: 'A6oqaRq2ct', 'licqrl6WmI', 'KurqTKs3nD', 'WbLqNh66GN', 'wVyq5pEpdT', 'EFkqALKVYT', 'Dr2qR5pHE5', 'n3rqIeN20Q', 'JUEq1pUeKI', 'ILSqCZePpw'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, Q4NQHOUEpnOiQYnjW5.csHigh entropy of concatenated method names: 'lsOJ65MgSD', 'xKQJuHPXZ4', 'QZYlVGusJm', 'lXhlQM6py2', 'f3EJC8G7vl', 'zVQJfR9Th5', 'IxxJMP4sUB', 'bMhJ2Jhw5C', 'OYMJOeCUoT', 'Eq0J8E17eb'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, D72KEJQ7FyPedRaEGcB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ziBsKny55Q', 'kyKshbJD13', 'eC8sp1DVc2', 'ALbss5XZfW', 'pmNsPZmJwd', 'xtssniBUPT', 'kUWs0qlMLx'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, fTr1pjQVOk08C6mvbUM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mDmhCmJvru', 'A3IhfsV4Fs', 'LPEhMqmvNh', 'MS1h2MnrMZ', 'juUhOHYTlj', 'EDGh8F0O0E', 'Dp2hLpAk8o'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, uXdfjoT3ex2DBcTUk8.csHigh entropy of concatenated method names: 'BYNFygtiwY', 't4qFXddoK6', 'dd5FgvERoM', 'kcJFejuRgM', 'kuHFHvhVVi', 'ajfgkZUpCh', 'dJYgUw33mx', 'n1UgjDguts', 'cfdg6XqqTd', 'Xm7gdpkQgv'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, eQeYThRPLUkVTtWjuV.csHigh entropy of concatenated method names: 'ya8eB3UJve', 'j4EeG8v9cS', 'NDHeFep1P1', 'eWgFuKagu9', 'DPQFz5b26s', 'rnSeVuAnhu', 'AvTeQDLbqi', 'BCNeEhoBWW', 'dsDec837r3', 'Yoje7bvpH5'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, inT4xyLsOSe7ir6xFN.csHigh entropy of concatenated method names: 'jauJWpSK1y', 'fmMJtkZC1e', 'ToString', 'BwiJBrXJdn', 'iLEJXGNKrG', 'aJaJGcn7gV', 'ID2JgwR1dQ', 'pm7JFipDWn', 'eSZJePGweK', 'hD7JHGOGXM'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, zB5ecj8MTrQaAoqbAr.csHigh entropy of concatenated method names: 'ToString', 'mNyiCgZBhR', 't2DiNHwyvX', 'z2dib42rEO', 'DsCi5scfhg', 'hJqiAwRbRk', 'QwViY65A7p', 'kumiR7qgBb', 'tD0iIbXhLv', 'uBwivbUrrC'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, tO5YKrjAT7TNqNUb3A.csHigh entropy of concatenated method names: 'tbCK4Drjw2', 'OLlKJbuhJ4', 'iPLKKBQ7k2', 'bcNKptW8k2', 'sFKKPhRXbK', 'MyaK0H7pn8', 'Dispose', 'xE7lBiljTi', 'bPElX2rMyK', 'stTlG3FWNb'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, GwrZg4a2Re6bu4c1QO.csHigh entropy of concatenated method names: 'RRuX29VPUl', 'lm2XOKA4ZB', 'wiaX8YxQg7', 'dZVXLRpJNL', 'BaqXkjIFOt', 'jo9XUIRmcJ', 'Nc9XjhPAjD', 'N1nX6rZlRR', 'LpsXdXTtxC', 'xEPXujQ7io'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, tbjd2fXFluN1kub0yG.csHigh entropy of concatenated method names: 'Dispose', 'dTNQdqNUb3', 'vYIENjwcdM', 'DVLOoVZxn3', 'J2dQuDg6V1', 'L8MQz43vYu', 'ProcessDialogKey', 'PaaEVSiH1K', 'T9WEQBs4fV', 'bjTEEi18aL'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, C3FZFP5GOCKJMGFNlG.csHigh entropy of concatenated method names: 'ROOF0iv9I8', 'aluFoKBwE5', 'xtGFwJVvjW', 'FgVFm7gMpx', 'TKIFxvhWNA', 'cJpF3kDFAd', 'F26Frsb9vY', 'SsIFZslx56', 'zQeB6kNyMGl1bJU4c63', 'EK0mhJNhb6kqTIlde4U'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, VEChENEpET4Hh1EuAq.csHigh entropy of concatenated method names: 'fWLwNDNA9', 'qinmjDD0F', 'UAbxa3o5F', 'fCi3Gj8jY', 'wHArwd4Gl', 'dlUZAfknT', 'hvuq5KDYsOLxPUv32m', 'YF4WYgKpY4XKS6jjyo', 'uI5lIEjLB', 'CYQhENFjN'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, fbRgBKQQ9usijGGfqJW.csHigh entropy of concatenated method names: 'uSThuPUF4V', 'Xl6hzOyAHY', 'tw3pV3GoqC', 'oFXpQSwgjf', 'Fk6pE2JlEZ', 'yWepcp5M3t', 'ndhp7vu7CH', 'TeBpykHx7p', 'KCEpB3MtWp', 'q1DpX9HJyB'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, JKga8E7AGix0jkZaZF.csHigh entropy of concatenated method names: 'HOTQewrZg4', 'RReQH6bu4c', 'pluQWWpAEf', 'TQPQt8Y0hF', 'Cn1Q4f7sXd', 'PjoQi3ex2D', 'qyBO2rVylJvU5Qdbll', 'WP2HFZ2dArGnfpNcck', 'AMDQQcJ8wR', 'm42QcmBERI'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, wUEjqsGH1vxfO5QDwF.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'TXREdI8AJa', 'aWHEuSWYB9', 'sL8EzwX9hD', 'r6XcVXikNW', 'Q5ncQjYmQx', 'RCDcEC2wiX', 'VXbccNSmXI', 'OkUwLkYME5qwfCsIJRo'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, KcpCqvHULqwe06QwQJ.csHigh entropy of concatenated method names: 'ckAcycg3XY', 'QQScBSZjJS', 'abPcXEinTq', 'yBkcGSaxq6', 'sg6cgPC1aW', 'jlscFeqv1y', 'N3YcetbKXM', 'aqgcHlIVMi', 'j4DcSntmUd', 'jqDcWaiKHp'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, Oihl5irluWpAEfkQP8.csHigh entropy of concatenated method names: 'EHPGmCaCv8', 'RbMGx45PTr', 'Dj1GaYj0YO', 'nWTGrIqZqx', 'cYYG4nZek7', 'gYdGi19ggv', 'WJDGJnjyRg', 'cOHGlyW5G2', 'rggGK7T7SO', 'Ir3GhSOkpO'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, SUie1s21aIAZQ4CDCp.csHigh entropy of concatenated method names: 'Qwq41YpUqM', 'fOJ4f7SG87', 'zWg42Y5ysO', 'T6A4OmFef7', 'IlY4N2ce7d', 'E4C4btN7wr', 'uJ145LVfO0', 'TOO4A1alnm', 'BQq4YjDrOV', 'act4R0swXb'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, ciBCiovaw0rbPrcfrR.csHigh entropy of concatenated method names: 'tD6eo9bxxQ', 'MaMe9q68pn', 'Ed2ewdb1iA', 'jbaemUDrsR', 'LdBeDVaDK0', 'WHKexKbaNY', 'A5oe3WEbuZ', 'SCSeaAxvsr', 'bxWerLyfKN', 'xPyeZt348x'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, DSiH1Kd89WBs4fVQjT.csHigh entropy of concatenated method names: 'Gd2KTuy857', 's0VKNjAKb6', 'kFGKbb65DO', 'tLPK5f9wKt', 'e9uKAxjk8T', 'T3uKYQ4vwr', 'j8RKRGiNfK', 'lCDKIneXLP', 'JbSKvf6pqq', 'jjEK1hny5B'
              Source: 0.2......scr.exe.41cb7e0.5.raw.unpack, p18aLHuhM3dqSreK5q.csHigh entropy of concatenated method names: 'MWnhGBH0uj', 'Bt4hgQIxHJ', 'zvwhF8c9OV', 'tm7hejGu3v', 'FsnhKLjgRZ', 'BflhHD5JfI', 'Next', 'Next', 'Next', 'NextBytes'
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_004062E2 ShellExecuteW,URLDownloadToFileW,2_2_004062E2
              Source: C:\Users\user\Desktop\.....scr.exeFile created: C:\ProgramData\Adobe-Reader\Adobe.exeJump to dropped file
              Source: C:\Users\user\Desktop\.....scr.exeFile created: C:\ProgramData\Adobe-Reader\Adobe.exeJump to dropped file

              Boot Survival

              barindex
              Creates autostart registry keys with suspicious names
              Source: C:\Users\user\Desktop\.....scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-Reader-DTANWRJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_0041AC43
              Source: C:\Users\user\Desktop\.....scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-Reader-DTANWRJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-Reader-DTANWRJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-Reader-DTANWRJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-Reader-DTANWRJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_0041D0CF
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: .....scr.exe PID: 6964, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5652, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5960, type: MEMORYSTR
              Source: C:\Users\user\Desktop\.....scr.exeMemory allocated: C80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeMemory allocated: 26B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeMemory allocated: 2480000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeMemory allocated: 4DF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeMemory allocated: 5DF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeMemory allocated: 5F20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeMemory allocated: 6F20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeMemory allocated: B700000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeMemory allocated: C700000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeMemory allocated: 4DF0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 1860000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 3370000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 31E0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 5980000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 6980000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 6AB0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 7AB0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: C040000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: D040000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 5980000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 11C0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 4DF0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 55A0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 65A0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 66D0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 76D0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: BB60000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: CB60000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 55A0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 1490000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 2E70000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 4E70000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 55B0000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 65B0000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 66E0000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 76E0000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: BC30000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: CC30000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: D0C0000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: E0C0000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 1620000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 3220000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 1750000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 5950000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 6950000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 6A80000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: 7A80000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: BAC0000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: CAC0000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: CF50000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory allocated: DF50000 memory reserve | memory write watch
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,7_2_0040BAE3
              Source: C:\Users\user\Desktop\.....scr.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,2_2_0041A941
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 240000Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 239874Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 239732Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 239624Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 239514Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 239406Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 239296Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 239187Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 239078Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 238830Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 238685Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 238562Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 238384Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 238281Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 238167Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 238062Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 237953Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 237843Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 237733Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 237606Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 240000Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239889Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239779Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239669Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239553Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239400Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239284Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 238992Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 238812Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 238665Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 240000Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239890Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239781Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239668Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239556Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239453Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239344Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239221Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239085Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 238959Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 238797Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 238663Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 240000
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239868
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239750
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239640
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239523
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239422
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239312
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239189
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239031
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 240000
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239859
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239734
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239606
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239500
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239390
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239279
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239172
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\.....scr.exeWindow / User API: threadDelayed 1672Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeWindow / User API: threadDelayed 1607Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeWindow / User API: threadDelayed 1153Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeWindow / User API: threadDelayed 4206Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeWindow / User API: threadDelayed 5784Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeWindow / User API: threadDelayed 1488Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeWindow / User API: threadDelayed 402Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeWindow / User API: threadDelayed 1557
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeWindow / User API: threadDelayed 1272
              Source: C:\Users\user\Desktop\.....scr.exeEvaded block: after key decisiongraph_2-47085
              Source: C:\Users\user\Desktop\.....scr.exeEvaded block: after key decisiongraph_2-47246
              Source: C:\Users\user\Desktop\.....scr.exeEvaded block: after key decisiongraph_2-47221
              Source: C:\Users\user\Desktop\.....scr.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-47047
              Source: C:\Users\user\Desktop\.....scr.exeAPI coverage: 6.9 %
              Source: C:\Windows\SysWOW64\recover.exeAPI coverage: 9.4 %
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -11990383647911201s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -239874s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -239732s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -239624s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -239514s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -239406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -239296s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -239187s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -239078s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -238830s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -238685s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -238562s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -238384s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -238281s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -238167s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -238062s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -237953s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -237843s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -237733s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7104Thread sleep time: -237606s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exe TID: 7116Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 2260Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 2260Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 2260Thread sleep time: -239889s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 2260Thread sleep time: -239779s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 2260Thread sleep time: -239669s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 2260Thread sleep time: -239553s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 2260Thread sleep time: -239400s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 2260Thread sleep time: -239284s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 2260Thread sleep time: -238992s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 2260Thread sleep time: -238812s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 2260Thread sleep time: -238665s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 708Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 5012Thread sleep count: 4206 > 30Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 5012Thread sleep time: -12618000s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 5012Thread sleep count: 5784 > 30Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 5012Thread sleep time: -17352000s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 708Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 708Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 708Thread sleep time: -239890s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 708Thread sleep time: -239781s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 708Thread sleep time: -239668s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 708Thread sleep time: -239556s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 708Thread sleep time: -239453s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 708Thread sleep time: -239344s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 708Thread sleep time: -239221s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 708Thread sleep time: -239085s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 708Thread sleep time: -238959s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 708Thread sleep time: -238797s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 708Thread sleep time: -238663s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 6016Thread sleep time: -6456360425798339s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 6016Thread sleep time: -240000s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 6016Thread sleep time: -239868s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 6016Thread sleep time: -239750s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 6016Thread sleep time: -239640s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 6016Thread sleep time: -239523s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 6016Thread sleep time: -239422s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 6016Thread sleep time: -239312s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 6016Thread sleep time: -239189s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 6016Thread sleep time: -239031s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 6984Thread sleep time: -922337203685477s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 3340Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 3340Thread sleep time: -240000s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 3340Thread sleep time: -239859s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 3340Thread sleep time: -239734s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 3340Thread sleep time: -239606s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 3340Thread sleep time: -239500s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 3340Thread sleep time: -239390s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 3340Thread sleep time: -239279s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 3340Thread sleep time: -239172s >= -30000s
              Source: C:\ProgramData\Adobe-Reader\Adobe.exe TID: 1136Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,2_2_004090DC
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040B6B5
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,2_2_0041C7E5
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040B8BA
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,2_2_00408CDE
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00419CEE
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,2_2_00407EDD
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00406F13 FindFirstFileW,FindNextFileW,2_2_00406F13
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 6_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_100010F1
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0040B477 FindFirstFileW,FindNextFileW,7_2_0040B477
              Source: C:\Windows\SysWOW64\recover.exeCode function: 8_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,8_2_00407EF8
              Source: C:\Windows\SysWOW64\recover.exeCode function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00407898
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00407357
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0041A8D8 memset,GetSystemInfo,7_2_0041A8D8
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 240000Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 239874Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 239732Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 239624Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 239514Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 239406Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 239296Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 239187Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 239078Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 238830Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 238685Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 238562Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 238384Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 238281Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 238167Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 238062Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 237953Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 237843Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 237733Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 237606Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 240000Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239889Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239779Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239669Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239553Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239400Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239284Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 238992Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 238812Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 238665Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 240000Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239890Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239781Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239668Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239556Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239453Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239344Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239221Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239085Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 238959Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 238797Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 238663Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 240000
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239868
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239750
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239640
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239523
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239422
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239312
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239189
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239031
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 240000
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239859
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239734
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239606
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239500
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239390
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239279
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 239172
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\.....scr.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: Adobe.exe, 00000006.00000002.4211294866.0000000001407000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`.H
              Source: Adobe.exe, 00000006.00000002.4211651943.000000000147A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Windows\SysWOW64\recover.exeAPI call chain: ExitProcess graph end node
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 0_2_00C81B68 CheckRemoteDebuggerPresent,0_2_00C81B68
              Source: C:\Users\user\Desktop\.....scr.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess queried: DebugPortJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess queried: DebugPortJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess queried: DebugPortJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess queried: DebugPortJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess queried: DebugPortJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess queried: DebugPortJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess queried: DebugPort
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess queried: DebugPort
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess queried: DebugPort
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0043B88D
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,7_2_0040BAE3
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0041D0CF LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_0041D0CF
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_004438F4 mov eax, dword ptr fs:[00000030h]2_2_004438F4
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 6_2_10004AB4 mov eax, dword ptr fs:[00000030h]6_2_10004AB4
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00411999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,2_2_00411999
              Source: C:\Users\user\Desktop\.....scr.exeProcess token adjusted: DebugJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00435398
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0043B88D
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00434D6E
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00434F01 SetUnhandledExceptionFilter,2_2_00434F01
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 6_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_100060E2
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 6_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_10002639
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeCode function: 6_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_10002B1C
              Source: C:\Users\user\Desktop\.....scr.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\.....scr.exeMemory written: C:\Users\user\Desktop\.....scr.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory written: C:\ProgramData\Adobe-Reader\Adobe.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory written: C:\ProgramData\Adobe-Reader\Adobe.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory written: C:\ProgramData\Adobe-Reader\Adobe.exe base: 400000 value starts with: 4D5A
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory written: C:\ProgramData\Adobe-Reader\Adobe.exe base: 400000 value starts with: 4D5A
              Maps a DLL or memory area into another process
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 2CB5008Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 3068008Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeMemory written: C:\Windows\SysWOW64\recover.exe base: 2F95008Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_004197D9 mouse_event,2_2_004197D9
              Source: C:\Users\user\Desktop\.....scr.exeProcess created: C:\Users\user\Desktop\.....scr.exe "C:\Users\user\Desktop\.....scr.exe"Jump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe" Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\nelsr"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\pzrkjcre"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\abwdkucfrsrd"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeProcess created: C:\ProgramData\Adobe-Reader\Adobe.exe "C:\ProgramData\Adobe-Reader\Adobe.exe"
              Source: Adobe.exe, 00000006.00000002.4211651943.0000000001451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: Adobe.exe, 00000006.00000002.4211651943.0000000001451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager19
              Source: Adobe.exe, 00000006.00000002.4211651943.0000000001464000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000006.00000002.4211651943.0000000001451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_00435034 cpuid 2_2_00435034
              Source: C:\Users\user\Desktop\.....scr.exeCode function: EnumSystemLocalesW,2_2_004520E2
              Source: C:\Users\user\Desktop\.....scr.exeCode function: EnumSystemLocalesW,2_2_00452097
              Source: C:\Users\user\Desktop\.....scr.exeCode function: EnumSystemLocalesW,2_2_0045217D
              Source: C:\Users\user\Desktop\.....scr.exeCode function: GetLocaleInfoA,2_2_0040F26B
              Source: C:\Users\user\Desktop\.....scr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_0045220A
              Source: C:\Users\user\Desktop\.....scr.exeCode function: EnumSystemLocalesW,2_2_0044844E
              Source: C:\Users\user\Desktop\.....scr.exeCode function: GetLocaleInfoW,2_2_0045245A
              Source: C:\Users\user\Desktop\.....scr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_00452583
              Source: C:\Users\user\Desktop\.....scr.exeCode function: GetLocaleInfoW,2_2_0045268A
              Source: C:\Users\user\Desktop\.....scr.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00452757
              Source: C:\Users\user\Desktop\.....scr.exeCode function: GetLocaleInfoW,2_2_00448937
              Source: C:\Users\user\Desktop\.....scr.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_00451E1F
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Users\user\Desktop\.....scr.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\.....scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\ProgramData\Adobe-Reader\Adobe.exe VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\ProgramData\Adobe-Reader\Adobe.exe VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\ProgramData\Adobe-Reader\Adobe.exe VolumeInformation
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\ProgramData\Adobe-Reader\Adobe.exe VolumeInformation
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\ProgramData\Adobe-Reader\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0041A1AD __EH_prolog,GdiplusStartup,CreateDirectoryW,Sleep,GetLocalTime,Sleep,2_2_0041A1AD
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_0041BB0E GetUserNameW,2_2_0041BB0E
              Source: C:\Users\user\Desktop\.....scr.exeCode function: 2_2_004493F7 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_004493F7
              Source: C:\Windows\SysWOW64\recover.exeCode function: 7_2_004192F2 GetVersionExW,7_2_004192F2
              Source: C:\Users\user\Desktop\.....scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 10.2.Adobe.exe.46c4760.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.473e380.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b88fe0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.372f190.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.36b5570.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b0f3c0.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.372f190.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.473e380.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b88fe0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.46c4760.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b0f3c0.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.36b5570.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1777233842.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.1900115348.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.1978237807.000000000105A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2054321367.0000000000FCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1780331373.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4211294866.0000000001407000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1929313273.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.1989491891.0000000004B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: .....scr.exe PID: 6964, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: .....scr.exe PID: 1744, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 3384, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 7148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6916, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5652, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1852, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 7104, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Users\user\Desktop\.....scr.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data2_2_0040B59B
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Users\user\Desktop\.....scr.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\2_2_0040B6B5
              Source: C:\Users\user\Desktop\.....scr.exeCode function: \key3.db2_2_0040B6B5
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Windows\SysWOW64\recover.exeCode function: ESMTPPassword8_2_004033F0
              Source: C:\Windows\SysWOW64\recover.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword8_2_00402DB3
              Source: C:\Windows\SysWOW64\recover.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword8_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: 7.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.Adobe.exe.4090000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.Adobe.exe.4090000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.4212976216.0000000004090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.1856890737.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 3384, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: recover.exe PID: 3980, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 10.2.Adobe.exe.46c4760.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.473e380.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b88fe0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.372f190.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.36b5570.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b0f3c0.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.372f190.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.473e380.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b88fe0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Adobe.exe.46c4760.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.Adobe.exe.4b0f3c0.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2......scr.exe.36b5570.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.1776646433.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1777233842.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.1900115348.00000000012CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.1978237807.000000000105A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2054321367.0000000000FCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1780331373.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4211294866.0000000001407000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1929313273.00000000046C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.1989491891.0000000004B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: .....scr.exe PID: 6964, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: .....scr.exe PID: 1744, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 3384, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 7148, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6916, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5652, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1852, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 7104, type: MEMORYSTR
              Source: C:\Users\user\Desktop\.....scr.exeCode function: cmd.exe2_2_00405091

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		2
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		12
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts12
              Command and Scripting Interpreter              		1
              Windows Service              		1
              Bypass User Account Control              		1
              Deobfuscate/Decode Files or Information              		111
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		2
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts2
              Service Execution              		11
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		4
              Obfuscated Files or Information              		2
              Credentials in Registry              		1
              System Service Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Windows Service              		13
              Software Packing              		3
              Credentials In Files              		4
              File and Directory Discovery              		Distributed Component Object Model111
              Input Capture              		2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script312
              Process Injection              		1
              Timestomp              		LSA Secrets38
              System Information Discovery              		SSH3
              Clipboard Data              		12
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		Cached Domain Credentials241
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Bypass User Account Control              		DCSync41
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Masquerading              		Proc Filesystem4
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt41
              Virtualization/Sandbox Evasion              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
              Access Token Manipulation              		Network Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd312
              Process Injection              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1630674 Sample: .....scr.exe Startdate: 06/03/2025 Architecture: WINDOWS Score: 100 64 geoplugin.net 2->64 66 53.210.109.20.in-addr.arpa 2->66 68 198.187.3.20.in-addr.arpa 2->68 74 Suricata IDS alerts for network traffic 2->74 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 10 other signatures 2->80 10 .....scr.exe 3 2->10         started        14 Adobe.exe 2->14         started        16 Adobe.exe 2 2->16         started        18 Adobe.exe 2->18         started        signatures3 process4 file5 62 C:\Users\user\AppData\...\.....scr.exe.log, ASCII 10->62 dropped 96 Contains functionality to bypass UAC (CMSTPLUA) 10->96 98 Contains functionalty to change the wallpaper 10->98 100 Contains functionality to steal Chrome passwords or cookies 10->100 104 3 other signatures 10->104 20 .....scr.exe 2 4 10->20         started        102 Injects a PE file into a foreign processes 14->102 24 Adobe.exe 14->24         started        26 Adobe.exe 14->26         started        28 Adobe.exe 14->28         started        30 Adobe.exe 14->30         started        32 Adobe.exe 16->32         started        34 Adobe.exe 16->34         started        36 Adobe.exe 16->36         started        38 Adobe.exe 18->38         started        signatures6 process7 file8 58 C:\ProgramData\Adobe-Reader\Adobe.exe, PE32 20->58 dropped 60 C:\ProgramData\...\Adobe.exe:Zone.Identifier, ASCII 20->60 dropped 90 Creates autostart registry keys with suspicious names 20->90 40 Adobe.exe 3 20->40         started        signatures9 process10 signatures11 92 Multi AV Scanner detection for dropped file 40->92 94 Injects a PE file into a foreign processes 40->94 43 Adobe.exe 4 14 40->43         started        47 Adobe.exe 40->47         started        49 Adobe.exe 40->49         started        process12 dnsIp13 70 104.250.180.178, 49734, 49736, 7902 M247GB United States 43->70 72 geoplugin.net 178.237.33.50, 49737, 80 ATOM86-ASATOM86NL Netherlands 43->72 106 Writes to foreign memory regions 43->106 108 Maps a DLL or memory area into another process 43->108 51 recover.exe 14 43->51         started        54 recover.exe 1 43->54         started        56 recover.exe 1 43->56         started        signatures14 process15 signatures16 82 Tries to steal Mail credentials (via file registry) 51->82 84 Tries to harvest and steal browser information (history, passwords, etc) 51->84 86 Tries to steal Instant Messenger accounts or passwords 54->86 88 Tries to steal Mail credentials (via file / registry access) 56->88

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.