Edit tour

Windows Analysis Report
.....scr.exe

Overview

General Information

Sample name:	.....scr.exe renamed because original name is a hash value
Original sample name:	Draft BL. INV-PL 20241125_081045_BRNB42200D5B685_001434.pdf......................................................................................................scr.exe
Analysis ID:	1630675
MD5:	4a000121dd7e6de307ad8299eb9fa816
SHA1:	1f9e8c10abc2e3be5da8ae613f01d28482a0a644
SHA256:	0ffd61040c88e3beb1cd998b777cbbe118f52daa4eb2759cd9329de5d7f2adc4
Tags:	exeuser-threatcat_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates autostart registry keys with suspicious names

Delayed program exit found

Drops executable to a common third party application directory

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

PE file has nameless sections

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected WebBrowserPassView password recovery tool

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

.....scr.exe (PID: 6784 cmdline: "C:\Users\user\Desktop\.....scr.exe" MD5: 4A000121DD7E6DE307AD8299EB9FA816)

.....scr.exe (PID: 3636 cmdline: "C:\Users\user\Desktop\.....scr.exe" MD5: 4A000121DD7E6DE307AD8299EB9FA816)

Adobe.exe (PID: 1520 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 4A000121DD7E6DE307AD8299EB9FA816)

Adobe.exe (PID: 1708 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 4A000121DD7E6DE307AD8299EB9FA816)

Adobe.exe (PID: 2508 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\zfhbftv" MD5: 4A000121DD7E6DE307AD8299EB9FA816)

Adobe.exe (PID: 6392 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\khnlgmgdmv" MD5: 4A000121DD7E6DE307AD8299EB9FA816)

Adobe.exe (PID: 2860 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ubseheqfidklro" MD5: 4A000121DD7E6DE307AD8299EB9FA816)

Adobe.exe (PID: 736 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 4A000121DD7E6DE307AD8299EB9FA816)

Adobe.exe (PID: 3936 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 4A000121DD7E6DE307AD8299EB9FA816)

Adobe.exe (PID: 1276 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 4A000121DD7E6DE307AD8299EB9FA816)

Adobe.exe (PID: 5068 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 4A000121DD7E6DE307AD8299EB9FA816)

Adobe.exe (PID: 2076 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 4A000121DD7E6DE307AD8299EB9FA816)

Adobe.exe (PID: 5768 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 4A000121DD7E6DE307AD8299EB9FA816)

Adobe.exe (PID: 6512 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 4A000121DD7E6DE307AD8299EB9FA816)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe-OTOIRK", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobe", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2108431785.00000000010EB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.2309548998.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
00000009.00000002.2225585344.00000000014C7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.2388493354.0000000000F07000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.2175686240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000004.00000002.4540588176.0000000001397000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.2133072296.0000000003B61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.2133072296.0000000003B61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.2133072296.0000000003B61000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6f018:$a1: Remcos restarted by watchdog! 0xe7c38:$a1: Remcos restarted by watchdog! 0x160478:$a1: Remcos restarted by watchdog! 0x6f590:$a3: %02i:%02i:%02i:%03i 0xe81b0:$a3: %02i:%02i:%02i:%03i 0x1609f0:$a3: %02i:%02i:%02i:%03i
00000000.00000002.2104065233.0000000004677000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2104065233.0000000004677000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.2104065233.0000000004677000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6acf8:$a1: Remcos restarted by watchdog! 0xe3918:$a1: Remcos restarted by watchdog! 0x15c158:$a1: Remcos restarted by watchdog! 0x6b270:$a3: %02i:%02i:%02i:%03i 0xe3e90:$a3: %02i:%02i:%02i:%03i 0x15c6d0:$a3: %02i:%02i:%02i:%03i
Process Memory Space: .....scr.exe PID: 6784	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: .....scr.exe PID: 6784	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: .....scr.exe PID: 6784	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: .....scr.exe PID: 6784	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x74a19:$a1: Remcos restarted by watchdog! 0x74f73:$a3: %02i:%02i:%02i:%03i 0x753a2:$a3: %02i:%02i:%02i:%03i
Process Memory Space: .....scr.exe PID: 3636	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: .....scr.exe PID: 3636	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: .....scr.exe PID: 3636	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xcfb4:$a1: Remcos restarted by watchdog! 0xd50e:$a3: %02i:%02i:%02i:%03i 0xd93d:$a3: %02i:%02i:%02i:%03i
Process Memory Space: Adobe.exe PID: 1520	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Adobe.exe PID: 1520	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Adobe.exe PID: 1520	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Adobe.exe PID: 1520	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b01c:$a1: Remcos restarted by watchdog! 0x6b576:$a3: %02i:%02i:%02i:%03i 0x6b9a5:$a3: %02i:%02i:%02i:%03i
Process Memory Space: Adobe.exe PID: 1708	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Adobe.exe PID: 2508	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Adobe.exe PID: 736	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Adobe.exe PID: 3936	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Adobe.exe PID: 5068	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Adobe.exe PID: 6512	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2......scr.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2......scr.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2......scr.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
2.2......scr.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
2.2......scr.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
5.2.Adobe.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2......scr.exe.46efe70.6.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2......scr.exe.46efe70.6.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2......scr.exe.46efe70.6.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
0.2......scr.exe.46efe70.6.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
0.2......scr.exe.46efe70.6.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
3.2.Adobe.exe.3b65570.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.Adobe.exe.3b65570.3.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.Adobe.exe.3b65570.3.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
3.2.Adobe.exe.3b65570.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
3.2.Adobe.exe.3b65570.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
0.2......scr.exe.4677250.5.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2......scr.exe.4677250.5.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2......scr.exe.4677250.5.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
0.2......scr.exe.4677250.5.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
0.2......scr.exe.4677250.5.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
5.2.Adobe.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2......scr.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2......scr.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2......scr.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
2.2......scr.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
2.2......scr.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
3.2.Adobe.exe.3bde190.4.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.Adobe.exe.3bde190.4.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.Adobe.exe.3bde190.4.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
3.2.Adobe.exe.3bde190.4.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
3.2.Adobe.exe.3bde190.4.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
3.2.Adobe.exe.3bde190.4.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.Adobe.exe.3bde190.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.Adobe.exe.3bde190.4.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0xe32e8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i 0xe3860:$a3: %02i:%02i:%02i:%03i
3.2.Adobe.exe.3bde190.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdd228:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0xdd1bc:$s1: CoGetObject 0xdd1d0:$s1: CoGetObject 0xdd1ec:$s1: CoGetObject 0xe7178:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new: 0xdd17c:$s2: Elevation:Administrator!new:
3.2.Adobe.exe.3b65570.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.Adobe.exe.3b65570.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.Adobe.exe.3b65570.3.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0xe36c8:$a1: Remcos restarted by watchdog! 0x15bf08:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i 0xe3c40:$a3: %02i:%02i:%02i:%03i 0x15c480:$a3: %02i:%02i:%02i:%03i
3.2.Adobe.exe.3b65570.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdd608:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x155e48:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0xdd59c:$s1: CoGetObject 0xdd5b0:$s1: CoGetObject 0xdd5cc:$s1: CoGetObject 0xe7558:$s1: CoGetObject 0x155ddc:$s1: CoGetObject 0x155df0:$s1: CoGetObject 0x155e0c:$s1: CoGetObject 0x15fd98:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new: 0xdd55c:$s2: Elevation:Administrator!new: 0x155d9c:$s2: Elevation:Administrator!new:
0.2......scr.exe.46efe70.6.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2......scr.exe.46efe70.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2......scr.exe.46efe70.6.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0xe32e8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i 0xe3860:$a3: %02i:%02i:%02i:%03i
0.2......scr.exe.46efe70.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdd228:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0xdd1bc:$s1: CoGetObject 0xdd1d0:$s1: CoGetObject 0xdd1ec:$s1: CoGetObject 0xe7178:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new: 0xdd17c:$s2: Elevation:Administrator!new:
0.2......scr.exe.4677250.5.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2......scr.exe.4677250.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2......scr.exe.4677250.5.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0xe36c8:$a1: Remcos restarted by watchdog! 0x15bf08:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i 0xe3c40:$a3: %02i:%02i:%02i:%03i 0x15c480:$a3: %02i:%02i:%02i:%03i
0.2......scr.exe.4677250.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdd608:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x155e48:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0xdd59c:$s1: CoGetObject 0xdd5b0:$s1: CoGetObject 0xdd5cc:$s1: CoGetObject 0xe7558:$s1: CoGetObject 0x155ddc:$s1: CoGetObject 0x155df0:$s1: CoGetObject 0x155e0c:$s1: CoGetObject 0x15fd98:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new: 0xdd55c:$s2: Elevation:Administrator!new: 0x155d9c:$s2: Elevation:Administrator!new:
Click to see the 43 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\.....scr.exe, ProcessId: 3636, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\.....scr.exe, ProcessId: 3636, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T06:49:21.520167+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49707	104.250.180.178	7902	TCP
2025-03-06T06:49:23.067184+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.5	49709	104.250.180.178	7902	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T06:49:23.170049+0100	2803304	3	Unknown Traffic	192.168.2.5	49710	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2104065233.0000000004677000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe-OTOIRK", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobe", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Adobe\Adobe.exe	ReversingLabs: Detection: 28%
Source: C:\ProgramData\Adobe\Adobe.exe	Virustotal: Detection: 36%			Perma Link

Multi AV Scanner detection for submitted file

Source: .....scr.exe	Virustotal: Detection: 36%			Perma Link
Source: .....scr.exe	ReversingLabs: Detection: 28%

Yara detected Remcos RAT

Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.46efe70.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3b65570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4677250.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3bde190.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3bde190.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3b65570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.46efe70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4677250.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2108431785.00000000010EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2309548998.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2225585344.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2388493354.0000000000F07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4540588176.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2133072296.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2104065233.0000000004677000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 3936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 5068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 6512, type: MEMORYSTR

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

2_2_00433837

Source: .....scr.exe, 00000000.00000002.2104065233.0000000004677000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_b369c2b5-c

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.46efe70.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3b65570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4677250.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3bde190.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3bde190.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3b65570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.46efe70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4677250.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2133072296.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2104065233.0000000004677000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1520, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_004074FD _wcslen,CoGetObject,

2_2_004074FD

Source: .....scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: .....scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: Adobe.exe, Adobe.exe, 00000005.00000002.2175686240.0000000000400000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	2_2_00409253
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	2_2_0041C291
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	2_2_0040C34D
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	2_2_00409665
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0044E879 FindFirstFileExA,	2_2_0044E879
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	2_2_0040880C
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040783C FindFirstFileW,FindNextFileW,	2_2_0040783C
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	2_2_00419AF5
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_0040BB30
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	2_2_0040BD37
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_100010F1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_10006580 FindFirstFileExA,	4_2_10006580
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0040B477 FindFirstFileW,FindNextFileW,	5_2_0040B477
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	6_2_00407EF8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	7_2_00407898

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

2_2_00407C97

Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_04E41AD0
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_04E419C9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	3_2_00F61AD0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	3_2_00F619C9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then push dword ptr [ebp-24h]	3_2_0862F8B0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	3_2_0862F8B0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	3_2_0862EE5C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then push dword ptr [ebp-24h]	3_2_0862F8A5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	3_2_0862F8A5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	3_2_0862F415
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then push dword ptr [ebp-20h]	3_2_0862F584
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	3_2_0862F584
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then push dword ptr [ebp-20h]	3_2_0862F590
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	3_2_0862F590
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then xor edx, edx	3_2_0862F7E8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then xor edx, edx	3_2_0862F7DD
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	8_2_016619CD
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	8_2_01661AD0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then push dword ptr [ebp-24h]	8_2_0896F8B0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	8_2_0896F8B0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	8_2_0896EE5C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then push dword ptr [ebp-24h]	8_2_0896F8A5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	8_2_0896F8A5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	8_2_0896F415
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then push dword ptr [ebp-20h]	8_2_0896F590
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	8_2_0896F590
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then push dword ptr [ebp-20h]	8_2_0896F584
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	8_2_0896F584
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then xor edx, edx	8_2_0896F7DD
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4x nop then xor edx, edx	8_2_0896F7E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49709 -> 104.250.180.178:7902
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49707 -> 104.250.180.178:7902

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 104.250.180.178

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 104.250.180.178:7902

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 104.250.180.178 104.250.180.178
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49710 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_0041B380

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Adobe.exe, 00000005.00000002.2181746515.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Adobe.exe, 00000005.00000002.2181746515.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Adobe.exe, 00000005.00000002.2175686240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Adobe.exe, 00000005.00000002.2175686240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Adobe.exe, 00000007.00000002.2170275154.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: Adobe.exe, Adobe.exe, 00000007.00000002.2170275154.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: Adobe.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: bhvFADD.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvFADD.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhvFADD.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvFADD.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvFADD.tmp.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: Adobe.exe, 00000004.00000002.4540588176.0000000001408000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: Adobe.exe, 00000004.00000002.4540588176.0000000001397000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: .....scr.exe, 00000000.00000002.2104065233.0000000004677000.00000004.00000800.00020000.00000000.sdmp, .....scr.exe, 00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.2133072296.0000000003B61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: Adobe.exe, 00000004.00000002.4540588176.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp1p
Source: Adobe.exe, 00000004.00000002.4540588176.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp9
Source: Adobe.exe, 00000004.00000002.4540588176.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpkp%
Source: bhvFADD.tmp.5.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: .....scr.exe, 00000000.00000002.2102361768.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.2122450177.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000008.00000002.2228431499.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000B.00000002.2313490027.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000D.00000002.2391361698.0000000002611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Adobe.exe, 0000000D.00000002.2391361698.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CRUDDataSet.xsd
Source: .....scr.exe, 00000000.00000002.2102361768.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.2122450177.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.2122450177.0000000003024000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000008.00000002.2228431499.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000B.00000002.2313490027.000000000321B000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000B.00000002.2313490027.00000000031D8000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000D.00000002.2391361698.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000D.00000002.2391361698.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CRUDDataSet1.xsd
Source: .....scr.exe, 00000000.00000002.2102361768.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.2122450177.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000008.00000002.2228431499.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000B.00000002.2313490027.0000000002D42000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000D.00000002.2391361698.0000000002622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CRUDDataSet1.xsd?0ZMP
Source: .....scr.exe, 00000000.00000002.2102361768.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.2122450177.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000008.00000002.2228431499.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000B.00000002.2313490027.00000000031D8000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000D.00000002.2391361698.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CRUDDataSet1.xsdIData
Source: Adobe.exe, Adobe.exe, 00000007.00000002.2170275154.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: Adobe.exe, Adobe.exe, 00000007.00000002.2170275154.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: Adobe.exe, 00000007.00000002.2170275154.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: Adobe.exe, 00000007.00000002.2170275154.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: Adobe.exe, 00000005.00000002.2176598812.0000000000AF3000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: Adobe.exe, 00000007.00000002.2170275154.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: Adobe.exe, 00000005.00000002.2180010754.0000000000B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?cli
Source: Adobe.exe, 00000005.00000002.2180010754.0000000000B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: Adobe.exe, 00000005.00000002.2180010754.0000000000B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: Adobe.exe, 00000005.00000002.2180010754.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000005.00000002.2181746515.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: Adobe.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: Adobe.exe, Adobe.exe, 00000007.00000002.2170275154.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Adobe.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

2_2_0040A2B8

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

2_2_0040B70E

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	2_2_004168C1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	5_2_00409E39
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	5_2_00409EA1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	6_2_00406DFC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	6_2_00406E9F
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	7_2_004068B5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	7_2_004072B5

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

2_2_0040B70E

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

2_2_0040A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.46efe70.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3b65570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4677250.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3bde190.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3bde190.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3b65570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.46efe70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4677250.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2108431785.00000000010EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2309548998.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2225585344.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2388493354.0000000000F07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4540588176.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2133072296.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2104065233.0000000004677000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 3936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 5068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 6512, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041C9E2 SystemParametersInfoW,

2_2_0041C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2......scr.exe.46efe70.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2......scr.exe.46efe70.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2......scr.exe.46efe70.6.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.Adobe.exe.3b65570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.Adobe.exe.3b65570.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.Adobe.exe.3b65570.3.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2......scr.exe.4677250.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2......scr.exe.4677250.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2......scr.exe.4677250.5.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.Adobe.exe.3bde190.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.Adobe.exe.3bde190.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.Adobe.exe.3bde190.4.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.Adobe.exe.3bde190.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.Adobe.exe.3bde190.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.Adobe.exe.3b65570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.Adobe.exe.3b65570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2......scr.exe.46efe70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2......scr.exe.46efe70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2......scr.exe.4677250.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2......scr.exe.4677250.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000003.00000002.2133072296.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2104065233.0000000004677000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: .....scr.exe PID: 6784, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: .....scr.exe PID: 3636, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Adobe.exe PID: 1520, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

PE file has nameless sections

Source: .....scr.exe	Static PE information: section name:
Source: Adobe.exe.2.dr	Static PE information: section name:

Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	5_2_0040BAE3
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004016FD NtdllDefWindowProc_A,	6_2_004016FD
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004017B7 NtdllDefWindowProc_A,	6_2_004017B7
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00402CAC NtdllDefWindowProc_A,	7_2_00402CAC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00402D66 NtdllDefWindowProc_A,	7_2_00402D66

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

2_2_004167B4

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E41CEF	0_2_04E41CEF
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E40871	0_2_04E40871
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E42818	0_2_04E42818
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E449E0	0_2_04E449E0
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E4A9C4	0_2_04E4A9C4
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E43A39	0_2_04E43A39
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E434B8	0_2_04E434B8
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E46468	0_2_04E46468
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E46458	0_2_04E46458
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E42781	0_2_04E42781
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E46741	0_2_04E46741
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E43058	0_2_04E43058
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E46C89	0_2_04E46C89
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E46C98	0_2_04E46C98
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E4DF78	0_2_04E4DF78
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E46F21	0_2_04E46F21
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E46F30	0_2_04E46F30
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E45880	0_2_04E45880
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E45890	0_2_04E45890
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E449B9	0_2_04E449B9
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_04E4495B	0_2_04E4495B
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_0817EE08	0_2_0817EE08
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097D2C08	0_2_097D2C08
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097D6CF8	0_2_097D6CF8
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097D1180	0_2_097D1180
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097D6448	0_2_097D6448
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097DA4B0	0_2_097DA4B0
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097D36C8	0_2_097D36C8
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097D1990	0_2_097D1990
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097D1980	0_2_097D1980
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097D116F	0_2_097D116F
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097D0040	0_2_097D0040
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097D0012	0_2_097D0012
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097DC340	0_2_097DC340
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097D15D8	0_2_097D15D8
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097DA4AA	0_2_097DA4AA
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097D0770	0_2_097D0770
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097D075A	0_2_097D075A
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097D1610	0_2_097D1610
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_09951AB8	0_2_09951AB8
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_09951AA9	0_2_09951AA9
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_09977540	0_2_09977540
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_099712A0	0_2_099712A0
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_0997752A	0_2_0997752A
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_09979CF0	0_2_09979CF0
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_0A235FB8	0_2_0A235FB8
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_0A238330	0_2_0A238330
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_0A230829	0_2_0A230829
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_0A230C78	0_2_0A230C78
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_0A2310A0	0_2_0A2310A0
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_0A2310B0	0_2_0A2310B0
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_0A2314E8	0_2_0A2314E8
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_0A232D32	0_2_0A232D32
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_0A232D38	0_2_0A232D38
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043E0CC	2_2_0043E0CC
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0041F0FA	2_2_0041F0FA
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00454159	2_2_00454159
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00438168	2_2_00438168
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004461F0	2_2_004461F0
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043E2FB	2_2_0043E2FB
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0045332B	2_2_0045332B
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0042739D	2_2_0042739D
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004374E6	2_2_004374E6
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043E558	2_2_0043E558
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00438770	2_2_00438770
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004378FE	2_2_004378FE
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00433946	2_2_00433946
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0044D9C9	2_2_0044D9C9
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00427A46	2_2_00427A46
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0041DB62	2_2_0041DB62
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00427BAF	2_2_00427BAF
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00437D33	2_2_00437D33
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00435E5E	2_2_00435E5E
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00426E0E	2_2_00426E0E
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043DE9D	2_2_0043DE9D
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00413FCA	2_2_00413FCA
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00436FEA	2_2_00436FEA
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F60871	3_2_00F60871
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F62818	3_2_00F62818
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F649E0	3_2_00F649E0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F6A9C4	3_2_00F6A9C4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F63A39	3_2_00F63A39
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F61CEF	3_2_00F61CEF
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F63058	3_2_00F63058
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F634B8	3_2_00F634B8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F66468	3_2_00F66468
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F66458	3_2_00F66458
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F62781	3_2_00F62781
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F66741	3_2_00F66741
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F648D0	3_2_00F648D0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F65890	3_2_00F65890
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F65880	3_2_00F65880
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F6488D	3_2_00F6488D
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F66C98	3_2_00F66C98
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F66C89	3_2_00F66C89
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F6DF78	3_2_00F6DF78
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F66F30	3_2_00F66F30
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_00F66F21	3_2_00F66F21
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_02A21AB8	3_2_02A21AB8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_02A21AA9	3_2_02A21AA9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_02A47540	3_2_02A47540
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_02A412A0	3_2_02A412A0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_02A49CF0	3_2_02A49CF0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_02A4752A	3_2_02A4752A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_06250829	3_2_06250829
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_06250C78	3_2_06250C78
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_06256450	3_2_06256450
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_062510B0	3_2_062510B0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_062514E8	3_2_062514E8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_06252D28	3_2_06252D28
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_06252D38	3_2_06252D38
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_0829EE08	3_2_0829EE08
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_0862D8E8	3_2_0862D8E8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_0862DAB0	3_2_0862DAB0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_08624BB8	3_2_08624BB8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_0862D8D8	3_2_0862D8D8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_08620883	3_2_08620883
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_0862DAA1	3_2_0862DAA1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_08624B88	3_2_08624B88
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_09B22C08	3_2_09B22C08
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_09B21180	3_2_09B21180
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_09B2A4B0	3_2_09B2A4B0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_09B26448	3_2_09B26448
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_09B236C8	3_2_09B236C8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_09B21990	3_2_09B21990
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_09B21980	3_2_09B21980
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_09B2116F	3_2_09B2116F
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_09B20006	3_2_09B20006
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_09B20040	3_2_09B20040
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_09B2C350	3_2_09B2C350
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_09B215D8	3_2_09B215D8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_09B20770	3_2_09B20770
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_09B2075A	3_2_09B2075A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_09B21610	3_2_09B21610
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_10017194	4_2_10017194
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_1000B5C1	4_2_1000B5C1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044A030	5_2_0044A030
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0040612B	5_2_0040612B
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0043E13D	5_2_0043E13D
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044B188	5_2_0044B188
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00442273	5_2_00442273
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044D380	5_2_0044D380
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044A5F0	5_2_0044A5F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_004125F6	5_2_004125F6
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_004065BF	5_2_004065BF
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_004086CB	5_2_004086CB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_004066BC	5_2_004066BC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044D760	5_2_0044D760
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00405A40	5_2_00405A40
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00449A40	5_2_00449A40
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00405AB1	5_2_00405AB1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00405B22	5_2_00405B22
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044ABC0	5_2_0044ABC0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00405BB3	5_2_00405BB3
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00417C60	5_2_00417C60
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044CC70	5_2_0044CC70
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00418CC9	5_2_00418CC9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044CDFB	5_2_0044CDFB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044CDA0	5_2_0044CDA0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044AE20	5_2_0044AE20
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00415E3E	5_2_00415E3E
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00437F3B	5_2_00437F3B
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00405038	6_2_00405038
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0041208C	6_2_0041208C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004050A9	6_2_004050A9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040511A	6_2_0040511A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0043C13A	6_2_0043C13A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004051AB	6_2_004051AB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00449300	6_2_00449300
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040D322	6_2_0040D322
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044A4F0	6_2_0044A4F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0043A5AB	6_2_0043A5AB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00413631	6_2_00413631
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00446690	6_2_00446690
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044A730	6_2_0044A730
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004398D8	6_2_004398D8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004498E0	6_2_004498E0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044A886	6_2_0044A886
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0043DA09	6_2_0043DA09
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00438D5E	6_2_00438D5E
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00449ED0	6_2_00449ED0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0041FE83	6_2_0041FE83
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00430F54	6_2_00430F54
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004050C2	7_2_004050C2
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004014AB	7_2_004014AB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00405133	7_2_00405133
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004051A4	7_2_004051A4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00401246	7_2_00401246
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0040CA46	7_2_0040CA46
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00405235	7_2_00405235
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004032C8	7_2_004032C8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00401689	7_2_00401689
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00402F60	7_2_00402F60
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0166A9C4	8_2_0166A9C4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_01663058	8_2_01663058
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_01666468	8_2_01666468
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_01666458	8_2_01666458
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_016634B8	8_2_016634B8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_01666742	8_2_01666742
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_01662784	8_2_01662784
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_016649E0	8_2_016649E0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_01660872	8_2_01660872
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_01662818	8_2_01662818
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_01665880	8_2_01665880
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_01665890	8_2_01665890
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_01663A3A	8_2_01663A3A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_01661CEF	8_2_01661CEF
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_01666C89	8_2_01666C89
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_01666C98	8_2_01666C98
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_01666F21	8_2_01666F21
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_01666F30	8_2_01666F30
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_086CEE08	8_2_086CEE08
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0896D8E8	8_2_0896D8E8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0896DAB0	8_2_0896DAB0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_08964BB8	8_2_08964BB8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0896D8D8	8_2_0896D8D8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0896DAA1	8_2_0896DAA1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_08964B88	8_2_08964B88
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_09D81AB8	8_2_09D81AB8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_09D81AA9	8_2_09D81AA9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_09DA7540	8_2_09DA7540
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_09DA12A0	8_2_09DA12A0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_09DA752A	8_2_09DA752A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_09DA9CF0	8_2_09DA9CF0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A095FA9	8_2_0A095FA9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A098330	8_2_0A098330
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A090829	8_2_0A090829
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A090C78	8_2_0A090C78
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A0910B0	8_2_0A0910B0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A0914E8	8_2_0A0914E8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A092D38	8_2_0A092D38
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A092D37	8_2_0A092D37
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A362C08	8_2_0A362C08
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A36116F	8_2_0A36116F
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A3636C8	8_2_0A3636C8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A36A4B0	8_2_0A36A4B0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A361990	8_2_0A361990
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A361980	8_2_0A361980
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A36C350	8_2_0A36C350
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A360006	8_2_0A360006
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A360040	8_2_0A360040
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A361610	8_2_0A361610
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0A3615D8	8_2_0A3615D8

Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 0044DDB0 appears 33 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00418555 appears 34 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 004186B6 appears 58 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 004188FE appears 88 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00422297 appears 42 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Users\user\Desktop\.....scr.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Users\user\Desktop\.....scr.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\Desktop\.....scr.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Users\user\Desktop\.....scr.exe	Code function: String function: 00401E65 appears 34 times

Source: .....scr.exe, 00000000.00000002.2112884746.0000000009920000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs .....scr.exe
Source: .....scr.exe, 00000000.00000002.2102361768.0000000002A36000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs .....scr.exe
Source: .....scr.exe, 00000000.00000002.2100034168.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs .....scr.exe
Source: .....scr.exe, 00000000.00000002.2102361768.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs .....scr.exe
Source: .....scr.exe, 00000000.00000002.2113464037.000000000A540000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs .....scr.exe
Source: .....scr.exe, 00000000.00000000.2080010691.00000000006DA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRiPr.exe4 vs .....scr.exe
Source: .....scr.exe, 00000002.00000002.2108431785.0000000001101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName7x vs .....scr.exe
Source: .....scr.exe	Binary or memory string: OriginalFilenameRiPr.exe4 vs .....scr.exe

Source: .....scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2......scr.exe.46efe70.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2......scr.exe.46efe70.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2......scr.exe.46efe70.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.Adobe.exe.3b65570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.Adobe.exe.3b65570.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.Adobe.exe.3b65570.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2......scr.exe.4677250.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2......scr.exe.4677250.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2......scr.exe.4677250.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.Adobe.exe.3bde190.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.Adobe.exe.3bde190.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.Adobe.exe.3bde190.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.Adobe.exe.3bde190.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.Adobe.exe.3bde190.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.Adobe.exe.3b65570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.Adobe.exe.3b65570.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2......scr.exe.46efe70.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2......scr.exe.46efe70.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2......scr.exe.4677250.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2......scr.exe.4677250.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000003.00000002.2133072296.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2104065233.0000000004677000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: .....scr.exe PID: 6784, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: .....scr.exe PID: 3636, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Adobe.exe PID: 1520, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: .....scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Adobe.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: .....scr.exe	Static PE information: Section: _AcQ ZLIB complexity 1.000390625
Source: Adobe.exe.2.dr	Static PE information: Section: _AcQ ZLIB complexity 1.000390625

Source: 0.2......scr.exe.45b2090.3.raw.unpack, M9vbeS4BqpW13aSU7X.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2......scr.exe.45b2090.3.raw.unpack, M9vbeS4BqpW13aSU7X.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2......scr.exe.45b2090.3.raw.unpack, M9vbeS4BqpW13aSU7X.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, M9vbeS4BqpW13aSU7X.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, M9vbeS4BqpW13aSU7X.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, M9vbeS4BqpW13aSU7X.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2......scr.exe.45b2090.3.raw.unpack, EnASZ0PuDsIkQFTvbS.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2......scr.exe.45b2090.3.raw.unpack, EnASZ0PuDsIkQFTvbS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2......scr.exe.a540000.8.raw.unpack, EnASZ0PuDsIkQFTvbS.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2......scr.exe.a540000.8.raw.unpack, EnASZ0PuDsIkQFTvbS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, EnASZ0PuDsIkQFTvbS.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, EnASZ0PuDsIkQFTvbS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2......scr.exe.a540000.8.raw.unpack, M9vbeS4BqpW13aSU7X.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2......scr.exe.a540000.8.raw.unpack, M9vbeS4BqpW13aSU7X.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2......scr.exe.a540000.8.raw.unpack, M9vbeS4BqpW13aSU7X.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@24/7@1/2

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 5_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

5_2_0041A225

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		2_2_00417952
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,		7_2_00410DE1

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 5_2_0041A6AF GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

5_2_0041A6AF

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

2_2_0040F474

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

2_2_0041B4A8

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_0041AA4A

Source: C:\Users\user\Desktop\.....scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\.....scr.exe.log

Jump to behavior

Source: C:\ProgramData\Adobe\Adobe.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe-OTOIRK
Source: C:\ProgramData\Adobe\Adobe.exe	Mutant created: NULL
Source: C:\ProgramData\Adobe\Adobe.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: C:\ProgramData\Adobe\Adobe.exe

File created: C:\Users\user\AppData\Local\Temp\bhvFADD.tmp

Jump to behavior

Source: .....scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\ProgramData\Adobe\Adobe.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Adobe.exe, Adobe.exe, 00000005.00000002.2175686240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Adobe.exe, Adobe.exe, 00000006.00000002.2170098832.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Adobe.exe, 00000005.00000002.2175686240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Adobe.exe, Adobe.exe, 00000005.00000002.2175686240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Adobe.exe, Adobe.exe, 00000005.00000002.2175686240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Adobe.exe, Adobe.exe, 00000005.00000002.2175686240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Adobe.exe, 00000005.00000002.2181746515.000000000108D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Adobe.exe, Adobe.exe, 00000005.00000002.2175686240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: .....scr.exe	Virustotal: Detection: 36%
Source: .....scr.exe	ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\.....scr.exe

File read: C:\Users\user\Desktop\.....scr.exe

Jump to behavior

Source: C:\ProgramData\Adobe\Adobe.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\.....scr.exe "C:\Users\user\Desktop\.....scr.exe"
Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\Users\user\Desktop\.....scr.exe "C:\Users\user\Desktop\.....scr.exe"
Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\zfhbftv"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\khnlgmgdmv"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ubseheqfidklro"
Source: unknown	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: unknown	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: unknown	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\Users\user\Desktop\.....scr.exe "C:\Users\user\Desktop\.....scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\zfhbftv"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\khnlgmgdmv"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ubseheqfidklro"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"

Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iconcodecservice.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iconcodecservice.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll

Source: C:\Users\user\Desktop\.....scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\.....scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\ProgramData\Adobe\Adobe.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: .....scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: .....scr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: .....scr.exe

Static file information: File size 1408512 > 1048576

Source: .....scr.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13c200

Source: .....scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2......scr.exe.45b2090.3.raw.unpack, M9vbeS4BqpW13aSU7X.cs	.Net Code: tng2KHa6cZ System.Reflection.Assembly.Load(byte[])
Source: 0.2......scr.exe.a540000.8.raw.unpack, M9vbeS4BqpW13aSU7X.cs	.Net Code: tng2KHa6cZ System.Reflection.Assembly.Load(byte[])
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, M9vbeS4BqpW13aSU7X.cs	.Net Code: tng2KHa6cZ System.Reflection.Assembly.Load(byte[])

Source: .....scr.exe

Static PE information: 0x9C7744FE [Sat Mar 8 15:55:42 2053 UTC]

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

2_2_0041CB50

Source: .....scr.exe	Static PE information: section name: _AcQ
Source: .....scr.exe	Static PE information: section name:
Source: Adobe.exe.2.dr	Static PE information: section name: _AcQ
Source: Adobe.exe.2.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_08172C0D push ds; retf	0_2_08172C14
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_081717C0 push cs; iretd	0_2_081717CB
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_097D8B50 push eax; ret	0_2_097D8B51
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 0_2_09953F58 pushfd ; iretd	0_2_09954475
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00457106 push ecx; ret	2_2_00457119
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0045B11A push esp; ret	2_2_0045B141
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0045E54D push esi; ret	2_2_0045E556
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00457A28 push eax; ret	2_2_00457A46
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00434E56 push ecx; ret	2_2_00434E69
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_02A2BB01 pushad ; iretd	3_2_02A2BBA9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_02A2BB62 pushad ; iretd	3_2_02A2BBA9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_02A2BB43 pushad ; iretd	3_2_02A2BBA9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_0625793D push FFFFFF8Bh; iretd	3_2_0625793F
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_08292C0D push ds; retf	3_2_08292C14
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_082917C0 push cs; iretd	3_2_082917CB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_08620271 push ss; ret	3_2_08620277
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_09B28B50 push eax; ret	3_2_09B28B51
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_10002806 push ecx; ret	4_2_10002819
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00446B75 push ecx; ret	5_2_00446B85
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00452BB4 push eax; ret	5_2_00452BC1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044DDB0 push eax; ret	5_2_0044DDC4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044DDB0 push eax; ret	5_2_0044DDEC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044B090 push eax; ret	6_2_0044B0A4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044B090 push eax; ret	6_2_0044B0CC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00451D34 push eax; ret	6_2_00451D41
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00444E71 push ecx; ret	6_2_00444E81
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00414060 push eax; ret	7_2_00414074
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00414060 push eax; ret	7_2_0041409C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00414039 push ecx; ret	7_2_00414049
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004164EB push 0000006Ah; retf	7_2_004165C4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00416553 push 0000006Ah; retf	7_2_004165C4

Source: .....scr.exe	Static PE information: section name: _AcQ entropy: 7.9982541643645515
Source: .....scr.exe	Static PE information: section name: .text entropy: 7.949730620388062
Source: Adobe.exe.2.dr	Static PE information: section name: _AcQ entropy: 7.9982541643645515
Source: Adobe.exe.2.dr	Static PE information: section name: .text entropy: 7.949730620388062

Source: 0.2......scr.exe.45b2090.3.raw.unpack, BbeKji7RS7sUDxRSJu.cs	High entropy of concatenated method names: 'XnM8PF3WFZ', 'G8C8C9Lntr', 'MdS85BslOa', 'rJ08WCMIXW', 'X978HLGUgD', 'SaM8pHRsA6', 'AsV8mCnxCh', 'J7689UHCaH', 'PuJ8LoqxfN', 'Icf8obL2Mw'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, Ae5HjrYWV6F7QVeya6.cs	High entropy of concatenated method names: 'Sh6gcFHl3e', 'ftlgEhIw5b', 'QMWggI2TIa', 'NMegna15CR', 'MrigThVu8S', 'NdJgGqrKLR', 'Dispose', 'vAwewSRnYC', 'NjWelpeccp', 'EQsehfHYLR'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, GjPDEXzTi9767gBE7H.cs	High entropy of concatenated method names: 'pqdsIDXKYa', 'F47sPAyHG9', 'UqlsCaGwI4', 'JZOs532Po8', 'eOasWhlkv0', 'exHsHlRfGS', 'AvhspJMEP3', 'AthsGaxDJo', 'Jtxs0mhMT9', 'deusDg7IQY'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, qOyPBc5I1cDQgnES6t.cs	High entropy of concatenated method names: 'nAVqXkBYgP', 'TJdqlOwS6m', 'Fohqb0Hycs', 'lCrqMkkaiv', 'nxZq4FZjkV', 'GbPbdCQoUD', 'CZJb3eWk3n', 'KrIbYcesPC', 'oU4bOxqM40', 'AQwbfwBPJE'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, tAJiLrmiR6tC3955e1.cs	High entropy of concatenated method names: 'GBxMwP4vV2', 'lV1Mhvr9vy', 'sLYMqtRqub', 'LAaqtx8pLk', 'g7YqzCfyD8', 'SfqMk4KhZH', 'QBBMrIM2ME', 'WnOM6UEdFA', 'boqMBxxWqh', 'mscM2H1ByI'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, jJpGvxrrk8oVTJqVxBx.cs	High entropy of concatenated method names: 'IsTstTnJEw', 'iPGszprrvJ', 'Uo1nkIc5cK', 'RD2nrff3Qo', 'LtDn6HwdFK', 'Ky3nBvFPE7', 'pL0n24axvN', 'IxunXv72ka', 'tdVnwXM8T2', 'aXrnldrejq'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, EnASZ0PuDsIkQFTvbS.cs	High entropy of concatenated method names: 'NTBlQ0baBR', 'W3hlyCB1I0', 'Yxllv4fxYI', 'VTclNHcbqA', 'AN8ldOfPxX', 'XVSl3mO3Ia', 'NJMlYZFsBi', 'iMtlO93FLY', 'oNslfxoWgU', 'MSalthyAFk'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, BKXMmm237LmW2wyhQ1.cs	High entropy of concatenated method names: 'wbCrMnASZ0', 'BDsr4IkQFT', 'PSlrAqX29n', 'eo9rjpKm8G', 'sqsrcAnEOy', 'DBcrZI1cDQ', 'TruAMOf4yltrf1N4nx', 'KBk0TdxuCXoUNBZQPt', 'tamrrfdqjI', 'IBDrB869ZG'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, i2aYHrQdlFPUsOId6M.cs	High entropy of concatenated method names: 'YTicLI3mWu', 'OiYcU9TBJT', 'EJncQZfYA7', 'n3GcyNrCfv', 's60cWDgfl4', 'HfNcJGgLqs', 'GjWcHuC9UZ', 'WfxcpGter2', 'w3lcR7sVSW', 'm4Pcml8VxV'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, uZrKJ0f6y74f5TteuI.cs	High entropy of concatenated method names: 'NV6g5Uc2fv', 'oWMgWSF0nc', 'AuvgJr8KNU', 'N9ygH6m3wp', 'ulWgpTLDnw', 'GPPgR7RqNa', 'FRNgmUUoRp', 'qSUg9r8q6x', 'qQSgapVNHZ', 'TWwgLXJZvD'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, PHp2SK3dliVmrkmQll.cs	High entropy of concatenated method names: 'dEWEOBF9m9', 'M5PEtD9O4E', 'B0mekr04EF', 'wNGerBPvuy', 'aMnEotYmW4', 'Hw4EUMvDuL', 'OSNE7dYeKM', 'WZtEQKpZv9', 'SMdEyVOLg3', 'ac5EvdsQ8q'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, M9vbeS4BqpW13aSU7X.cs	High entropy of concatenated method names: 'N3jBXZpbXA', 'fDlBwpKdMP', 'oUfBlhl78c', 'eUQBhfaIrS', 'x3aBb9NGyr', 'KjVBqGuPSl', 'U8FBMOqmXr', 'pLDB4bL4SR', 'BXSBxUcw14', 'rZ1BAWEJHF'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, OaEkHMrkmjNUobIoZgT.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Jq5soCX604', 'kpFsUkMCMn', 'O8Cs7uxxRO', 'RcSsQNrL1X', 'e3asyaueLc', 'Wdasvl16xs', 'YyZsNfkRf1'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, kxrPqqlilh8xUJuBVe.cs	High entropy of concatenated method names: 'Dispose', 'cF7rfQVeya', 'igE6WLclj0', 'GRku742MwL', 'cRbrtxMMxk', 'Yy7rzAw4mO', 'ProcessDialogKey', 'dAi6kZrKJ0', 'cy76r4f5Tt', 'ruI662VJuA'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, dVJuAxthLy8cf7tgpO.cs	High entropy of concatenated method names: 'nMvshJcs7I', 'jaLsbQZaSA', 'rassq7To2v', 's2usMeNKrf', 'd1osgaGU4Z', 'PyLs40vijM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, AhJMpdabXfkfDGXrrm.cs	High entropy of concatenated method names: 'FS2M0cEVp0', 'Xx8MDL45jn', 'iVuMKZ2XMH', 'u5aM10ZybZ', 'CGRMuxIt1o', 'wJ7MIOn9Tu', 'EnpMFFge3y', 'dSlMPIHwoe', 'WfSMCErVlO', 'jRgMSJgEj1'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, V7DLvI6rAEPuwqOch5.cs	High entropy of concatenated method names: 'u0ZKlJicv', 'Wfu1ekvYZ', 'GXDIjUbRe', 'F6tF32HQq', 'RBVCJ7B87', 'QRdSoFvdX', 'paI56B8ObaxaEP0a9O', 'w9XmFoexIVdXKpP1Jb', 'WkrJGFkt1b9JlxOUnC', 'MTee6XdKC'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, zm8GoySe7xMMbsqsAn.cs	High entropy of concatenated method names: 'dQMbuGC2R7', 'C2ybFF67b7', 'kvghJcTAid', 'o8ahHyDZlE', 'EcVhphU1UJ', 'FVKhR5xnqS', 'KJ6hm0qREV', 'B0Yh9lbyVk', 'ygZhaKL0hL', 'ALIhLs09R2'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, wAfZqONYap9QDZ5Xqf.cs	High entropy of concatenated method names: 'rSVEA5dgQv', 'hiKEjOFcM1', 'ToString', 'jntEw2ZA4G', 'mvIEldWyYQ', 'V8eEhBR8Rs', 'T2KEbUMi7a', 'PP3EqE1337', 'oPKEM8lnT6', 'FvAE4lT9wj'
Source: 0.2......scr.exe.45b2090.3.raw.unpack, SVBnOUCSlqX29nXo9p.cs	High entropy of concatenated method names: 'YqTh1R9l9X', 'THmhI4PkBy', 'WMUhPePh78', 'xAthCHF6sY', 'tj7hcfGAJR', 't1thZXoBXZ', 'MaAhELyibo', 'Tuihe2ZiMS', 'hQThgrQa38', 'MTqhsvmrg1'
Source: 0.2......scr.exe.a540000.8.raw.unpack, BbeKji7RS7sUDxRSJu.cs	High entropy of concatenated method names: 'XnM8PF3WFZ', 'G8C8C9Lntr', 'MdS85BslOa', 'rJ08WCMIXW', 'X978HLGUgD', 'SaM8pHRsA6', 'AsV8mCnxCh', 'J7689UHCaH', 'PuJ8LoqxfN', 'Icf8obL2Mw'
Source: 0.2......scr.exe.a540000.8.raw.unpack, Ae5HjrYWV6F7QVeya6.cs	High entropy of concatenated method names: 'Sh6gcFHl3e', 'ftlgEhIw5b', 'QMWggI2TIa', 'NMegna15CR', 'MrigThVu8S', 'NdJgGqrKLR', 'Dispose', 'vAwewSRnYC', 'NjWelpeccp', 'EQsehfHYLR'
Source: 0.2......scr.exe.a540000.8.raw.unpack, GjPDEXzTi9767gBE7H.cs	High entropy of concatenated method names: 'pqdsIDXKYa', 'F47sPAyHG9', 'UqlsCaGwI4', 'JZOs532Po8', 'eOasWhlkv0', 'exHsHlRfGS', 'AvhspJMEP3', 'AthsGaxDJo', 'Jtxs0mhMT9', 'deusDg7IQY'
Source: 0.2......scr.exe.a540000.8.raw.unpack, qOyPBc5I1cDQgnES6t.cs	High entropy of concatenated method names: 'nAVqXkBYgP', 'TJdqlOwS6m', 'Fohqb0Hycs', 'lCrqMkkaiv', 'nxZq4FZjkV', 'GbPbdCQoUD', 'CZJb3eWk3n', 'KrIbYcesPC', 'oU4bOxqM40', 'AQwbfwBPJE'
Source: 0.2......scr.exe.a540000.8.raw.unpack, tAJiLrmiR6tC3955e1.cs	High entropy of concatenated method names: 'GBxMwP4vV2', 'lV1Mhvr9vy', 'sLYMqtRqub', 'LAaqtx8pLk', 'g7YqzCfyD8', 'SfqMk4KhZH', 'QBBMrIM2ME', 'WnOM6UEdFA', 'boqMBxxWqh', 'mscM2H1ByI'
Source: 0.2......scr.exe.a540000.8.raw.unpack, jJpGvxrrk8oVTJqVxBx.cs	High entropy of concatenated method names: 'IsTstTnJEw', 'iPGszprrvJ', 'Uo1nkIc5cK', 'RD2nrff3Qo', 'LtDn6HwdFK', 'Ky3nBvFPE7', 'pL0n24axvN', 'IxunXv72ka', 'tdVnwXM8T2', 'aXrnldrejq'
Source: 0.2......scr.exe.a540000.8.raw.unpack, EnASZ0PuDsIkQFTvbS.cs	High entropy of concatenated method names: 'NTBlQ0baBR', 'W3hlyCB1I0', 'Yxllv4fxYI', 'VTclNHcbqA', 'AN8ldOfPxX', 'XVSl3mO3Ia', 'NJMlYZFsBi', 'iMtlO93FLY', 'oNslfxoWgU', 'MSalthyAFk'
Source: 0.2......scr.exe.a540000.8.raw.unpack, BKXMmm237LmW2wyhQ1.cs	High entropy of concatenated method names: 'wbCrMnASZ0', 'BDsr4IkQFT', 'PSlrAqX29n', 'eo9rjpKm8G', 'sqsrcAnEOy', 'DBcrZI1cDQ', 'TruAMOf4yltrf1N4nx', 'KBk0TdxuCXoUNBZQPt', 'tamrrfdqjI', 'IBDrB869ZG'
Source: 0.2......scr.exe.a540000.8.raw.unpack, i2aYHrQdlFPUsOId6M.cs	High entropy of concatenated method names: 'YTicLI3mWu', 'OiYcU9TBJT', 'EJncQZfYA7', 'n3GcyNrCfv', 's60cWDgfl4', 'HfNcJGgLqs', 'GjWcHuC9UZ', 'WfxcpGter2', 'w3lcR7sVSW', 'm4Pcml8VxV'
Source: 0.2......scr.exe.a540000.8.raw.unpack, uZrKJ0f6y74f5TteuI.cs	High entropy of concatenated method names: 'NV6g5Uc2fv', 'oWMgWSF0nc', 'AuvgJr8KNU', 'N9ygH6m3wp', 'ulWgpTLDnw', 'GPPgR7RqNa', 'FRNgmUUoRp', 'qSUg9r8q6x', 'qQSgapVNHZ', 'TWwgLXJZvD'
Source: 0.2......scr.exe.a540000.8.raw.unpack, PHp2SK3dliVmrkmQll.cs	High entropy of concatenated method names: 'dEWEOBF9m9', 'M5PEtD9O4E', 'B0mekr04EF', 'wNGerBPvuy', 'aMnEotYmW4', 'Hw4EUMvDuL', 'OSNE7dYeKM', 'WZtEQKpZv9', 'SMdEyVOLg3', 'ac5EvdsQ8q'
Source: 0.2......scr.exe.a540000.8.raw.unpack, M9vbeS4BqpW13aSU7X.cs	High entropy of concatenated method names: 'N3jBXZpbXA', 'fDlBwpKdMP', 'oUfBlhl78c', 'eUQBhfaIrS', 'x3aBb9NGyr', 'KjVBqGuPSl', 'U8FBMOqmXr', 'pLDB4bL4SR', 'BXSBxUcw14', 'rZ1BAWEJHF'
Source: 0.2......scr.exe.a540000.8.raw.unpack, OaEkHMrkmjNUobIoZgT.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Jq5soCX604', 'kpFsUkMCMn', 'O8Cs7uxxRO', 'RcSsQNrL1X', 'e3asyaueLc', 'Wdasvl16xs', 'YyZsNfkRf1'
Source: 0.2......scr.exe.a540000.8.raw.unpack, kxrPqqlilh8xUJuBVe.cs	High entropy of concatenated method names: 'Dispose', 'cF7rfQVeya', 'igE6WLclj0', 'GRku742MwL', 'cRbrtxMMxk', 'Yy7rzAw4mO', 'ProcessDialogKey', 'dAi6kZrKJ0', 'cy76r4f5Tt', 'ruI662VJuA'
Source: 0.2......scr.exe.a540000.8.raw.unpack, dVJuAxthLy8cf7tgpO.cs	High entropy of concatenated method names: 'nMvshJcs7I', 'jaLsbQZaSA', 'rassq7To2v', 's2usMeNKrf', 'd1osgaGU4Z', 'PyLs40vijM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2......scr.exe.a540000.8.raw.unpack, AhJMpdabXfkfDGXrrm.cs	High entropy of concatenated method names: 'FS2M0cEVp0', 'Xx8MDL45jn', 'iVuMKZ2XMH', 'u5aM10ZybZ', 'CGRMuxIt1o', 'wJ7MIOn9Tu', 'EnpMFFge3y', 'dSlMPIHwoe', 'WfSMCErVlO', 'jRgMSJgEj1'
Source: 0.2......scr.exe.a540000.8.raw.unpack, V7DLvI6rAEPuwqOch5.cs	High entropy of concatenated method names: 'u0ZKlJicv', 'Wfu1ekvYZ', 'GXDIjUbRe', 'F6tF32HQq', 'RBVCJ7B87', 'QRdSoFvdX', 'paI56B8ObaxaEP0a9O', 'w9XmFoexIVdXKpP1Jb', 'WkrJGFkt1b9JlxOUnC', 'MTee6XdKC'
Source: 0.2......scr.exe.a540000.8.raw.unpack, zm8GoySe7xMMbsqsAn.cs	High entropy of concatenated method names: 'dQMbuGC2R7', 'C2ybFF67b7', 'kvghJcTAid', 'o8ahHyDZlE', 'EcVhphU1UJ', 'FVKhR5xnqS', 'KJ6hm0qREV', 'B0Yh9lbyVk', 'ygZhaKL0hL', 'ALIhLs09R2'
Source: 0.2......scr.exe.a540000.8.raw.unpack, wAfZqONYap9QDZ5Xqf.cs	High entropy of concatenated method names: 'rSVEA5dgQv', 'hiKEjOFcM1', 'ToString', 'jntEw2ZA4G', 'mvIEldWyYQ', 'V8eEhBR8Rs', 'T2KEbUMi7a', 'PP3EqE1337', 'oPKEM8lnT6', 'FvAE4lT9wj'
Source: 0.2......scr.exe.a540000.8.raw.unpack, SVBnOUCSlqX29nXo9p.cs	High entropy of concatenated method names: 'YqTh1R9l9X', 'THmhI4PkBy', 'WMUhPePh78', 'xAthCHF6sY', 'tj7hcfGAJR', 't1thZXoBXZ', 'MaAhELyibo', 'Tuihe2ZiMS', 'hQThgrQa38', 'MTqhsvmrg1'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, BbeKji7RS7sUDxRSJu.cs	High entropy of concatenated method names: 'XnM8PF3WFZ', 'G8C8C9Lntr', 'MdS85BslOa', 'rJ08WCMIXW', 'X978HLGUgD', 'SaM8pHRsA6', 'AsV8mCnxCh', 'J7689UHCaH', 'PuJ8LoqxfN', 'Icf8obL2Mw'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, Ae5HjrYWV6F7QVeya6.cs	High entropy of concatenated method names: 'Sh6gcFHl3e', 'ftlgEhIw5b', 'QMWggI2TIa', 'NMegna15CR', 'MrigThVu8S', 'NdJgGqrKLR', 'Dispose', 'vAwewSRnYC', 'NjWelpeccp', 'EQsehfHYLR'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, GjPDEXzTi9767gBE7H.cs	High entropy of concatenated method names: 'pqdsIDXKYa', 'F47sPAyHG9', 'UqlsCaGwI4', 'JZOs532Po8', 'eOasWhlkv0', 'exHsHlRfGS', 'AvhspJMEP3', 'AthsGaxDJo', 'Jtxs0mhMT9', 'deusDg7IQY'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, qOyPBc5I1cDQgnES6t.cs	High entropy of concatenated method names: 'nAVqXkBYgP', 'TJdqlOwS6m', 'Fohqb0Hycs', 'lCrqMkkaiv', 'nxZq4FZjkV', 'GbPbdCQoUD', 'CZJb3eWk3n', 'KrIbYcesPC', 'oU4bOxqM40', 'AQwbfwBPJE'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, tAJiLrmiR6tC3955e1.cs	High entropy of concatenated method names: 'GBxMwP4vV2', 'lV1Mhvr9vy', 'sLYMqtRqub', 'LAaqtx8pLk', 'g7YqzCfyD8', 'SfqMk4KhZH', 'QBBMrIM2ME', 'WnOM6UEdFA', 'boqMBxxWqh', 'mscM2H1ByI'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, jJpGvxrrk8oVTJqVxBx.cs	High entropy of concatenated method names: 'IsTstTnJEw', 'iPGszprrvJ', 'Uo1nkIc5cK', 'RD2nrff3Qo', 'LtDn6HwdFK', 'Ky3nBvFPE7', 'pL0n24axvN', 'IxunXv72ka', 'tdVnwXM8T2', 'aXrnldrejq'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, EnASZ0PuDsIkQFTvbS.cs	High entropy of concatenated method names: 'NTBlQ0baBR', 'W3hlyCB1I0', 'Yxllv4fxYI', 'VTclNHcbqA', 'AN8ldOfPxX', 'XVSl3mO3Ia', 'NJMlYZFsBi', 'iMtlO93FLY', 'oNslfxoWgU', 'MSalthyAFk'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, BKXMmm237LmW2wyhQ1.cs	High entropy of concatenated method names: 'wbCrMnASZ0', 'BDsr4IkQFT', 'PSlrAqX29n', 'eo9rjpKm8G', 'sqsrcAnEOy', 'DBcrZI1cDQ', 'TruAMOf4yltrf1N4nx', 'KBk0TdxuCXoUNBZQPt', 'tamrrfdqjI', 'IBDrB869ZG'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, i2aYHrQdlFPUsOId6M.cs	High entropy of concatenated method names: 'YTicLI3mWu', 'OiYcU9TBJT', 'EJncQZfYA7', 'n3GcyNrCfv', 's60cWDgfl4', 'HfNcJGgLqs', 'GjWcHuC9UZ', 'WfxcpGter2', 'w3lcR7sVSW', 'm4Pcml8VxV'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, uZrKJ0f6y74f5TteuI.cs	High entropy of concatenated method names: 'NV6g5Uc2fv', 'oWMgWSF0nc', 'AuvgJr8KNU', 'N9ygH6m3wp', 'ulWgpTLDnw', 'GPPgR7RqNa', 'FRNgmUUoRp', 'qSUg9r8q6x', 'qQSgapVNHZ', 'TWwgLXJZvD'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, PHp2SK3dliVmrkmQll.cs	High entropy of concatenated method names: 'dEWEOBF9m9', 'M5PEtD9O4E', 'B0mekr04EF', 'wNGerBPvuy', 'aMnEotYmW4', 'Hw4EUMvDuL', 'OSNE7dYeKM', 'WZtEQKpZv9', 'SMdEyVOLg3', 'ac5EvdsQ8q'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, M9vbeS4BqpW13aSU7X.cs	High entropy of concatenated method names: 'N3jBXZpbXA', 'fDlBwpKdMP', 'oUfBlhl78c', 'eUQBhfaIrS', 'x3aBb9NGyr', 'KjVBqGuPSl', 'U8FBMOqmXr', 'pLDB4bL4SR', 'BXSBxUcw14', 'rZ1BAWEJHF'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, OaEkHMrkmjNUobIoZgT.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Jq5soCX604', 'kpFsUkMCMn', 'O8Cs7uxxRO', 'RcSsQNrL1X', 'e3asyaueLc', 'Wdasvl16xs', 'YyZsNfkRf1'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, kxrPqqlilh8xUJuBVe.cs	High entropy of concatenated method names: 'Dispose', 'cF7rfQVeya', 'igE6WLclj0', 'GRku742MwL', 'cRbrtxMMxk', 'Yy7rzAw4mO', 'ProcessDialogKey', 'dAi6kZrKJ0', 'cy76r4f5Tt', 'ruI662VJuA'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, dVJuAxthLy8cf7tgpO.cs	High entropy of concatenated method names: 'nMvshJcs7I', 'jaLsbQZaSA', 'rassq7To2v', 's2usMeNKrf', 'd1osgaGU4Z', 'PyLs40vijM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, AhJMpdabXfkfDGXrrm.cs	High entropy of concatenated method names: 'FS2M0cEVp0', 'Xx8MDL45jn', 'iVuMKZ2XMH', 'u5aM10ZybZ', 'CGRMuxIt1o', 'wJ7MIOn9Tu', 'EnpMFFge3y', 'dSlMPIHwoe', 'WfSMCErVlO', 'jRgMSJgEj1'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, V7DLvI6rAEPuwqOch5.cs	High entropy of concatenated method names: 'u0ZKlJicv', 'Wfu1ekvYZ', 'GXDIjUbRe', 'F6tF32HQq', 'RBVCJ7B87', 'QRdSoFvdX', 'paI56B8ObaxaEP0a9O', 'w9XmFoexIVdXKpP1Jb', 'WkrJGFkt1b9JlxOUnC', 'MTee6XdKC'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, zm8GoySe7xMMbsqsAn.cs	High entropy of concatenated method names: 'dQMbuGC2R7', 'C2ybFF67b7', 'kvghJcTAid', 'o8ahHyDZlE', 'EcVhphU1UJ', 'FVKhR5xnqS', 'KJ6hm0qREV', 'B0Yh9lbyVk', 'ygZhaKL0hL', 'ALIhLs09R2'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, wAfZqONYap9QDZ5Xqf.cs	High entropy of concatenated method names: 'rSVEA5dgQv', 'hiKEjOFcM1', 'ToString', 'jntEw2ZA4G', 'mvIEldWyYQ', 'V8eEhBR8Rs', 'T2KEbUMi7a', 'PP3EqE1337', 'oPKEM8lnT6', 'FvAE4lT9wj'
Source: 0.2......scr.exe.44f4e70.4.raw.unpack, SVBnOUCSlqX29nXo9p.cs	High entropy of concatenated method names: 'YqTh1R9l9X', 'THmhI4PkBy', 'WMUhPePh78', 'xAthCHF6sY', 'tj7hcfGAJR', 't1thZXoBXZ', 'MaAhELyibo', 'Tuihe2ZiMS', 'hQThgrQa38', 'MTqhsvmrg1'

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\.....scr.exe

File written: C:\ProgramData\Adobe\Adobe.exe

Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

2_2_00406EB0

Source: C:\Users\user\Desktop\.....scr.exe

File created: C:\ProgramData\Adobe\Adobe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\.....scr.exe

File created: C:\ProgramData\Adobe\Adobe.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\.....scr.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK

Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_0041AA4A

Source: C:\Users\user\Desktop\.....scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

2_2_0041CB50

Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 736, type: MEMORYSTR

Delayed program exit found

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0040F7A7 Sleep,ExitProcess,

2_2_0040F7A7

Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: 29E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: 5020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: 6020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: 6150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: 7150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: B8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: C8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: CD60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Memory allocated: DD60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 5240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 6240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 6370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 7370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: BA20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: CA20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 5240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 1350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 15C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 56A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 66A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 67D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 77D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: BEB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: CEB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: D340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: E340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 1120000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2D30000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2B40000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 5300000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 6300000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 6430000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 7430000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: B760000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: C760000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 5300000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: B60000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2610000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 4610000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 4D70000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 5D70000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 5EA0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 6EA0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: B460000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: C460000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 4D70000 memory reserve \| memory write watch

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 5_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

5_2_0040BAE3

Source: C:\Users\user\Desktop\.....scr.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

2_2_0041A748

Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 239871	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 239750	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 239640	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 239531	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 239422	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 239312	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 239193	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 239024	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 238917	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239884	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239766	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239655	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239510	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239391	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239281	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239172	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239063	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239890	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239781	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239672	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239561	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239452	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239343	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239234	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 240000
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239859
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239750
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239640
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239531
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239417
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239312
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239203
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 240000
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239891
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239766
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239657
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239532
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239422
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239312
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239204
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\.....scr.exe	Window / User API: threadDelayed 1198	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Window / User API: threadDelayed 576	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 412	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 1166	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 9740	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 759	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 606	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 1010
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 370
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 962
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 387

Source: C:\Users\user\Desktop\.....scr.exe	Evaded block: after key decision			graph_2-47650
Source: C:\Users\user\Desktop\.....scr.exe	Evaded block: after key decision			graph_2-47673

Source: C:\Users\user\Desktop\.....scr.exe	API coverage: 6.3 %
Source: C:\ProgramData\Adobe\Adobe.exe	API coverage: 9.8 %

Source: C:\Users\user\Desktop\.....scr.exe TID: 6200	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe TID: 6200	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe TID: 6200	Thread sleep time: -239871s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe TID: 6200	Thread sleep time: -239750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe TID: 6200	Thread sleep time: -239640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe TID: 6200	Thread sleep time: -239531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe TID: 6200	Thread sleep time: -239422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe TID: 6200	Thread sleep time: -239312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe TID: 6200	Thread sleep time: -239193s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe TID: 6200	Thread sleep time: -239024s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe TID: 6200	Thread sleep time: -238917s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe TID: 6084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 5676	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 5676	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 5676	Thread sleep time: -239884s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 5676	Thread sleep time: -239766s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 5676	Thread sleep time: -239655s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 5676	Thread sleep time: -239510s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 5676	Thread sleep time: -239391s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 5676	Thread sleep time: -239281s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 5676	Thread sleep time: -239172s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 5676	Thread sleep time: -239063s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 5560	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 6540	Thread sleep count: 249 > 30	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 6540	Thread sleep time: -747000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 6540	Thread sleep count: 9740 > 30	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 6540	Thread sleep time: -29220000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2276	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2276	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2276	Thread sleep time: -239890s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2276	Thread sleep time: -239781s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2276	Thread sleep time: -239672s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2276	Thread sleep time: -239561s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2276	Thread sleep time: -239452s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2276	Thread sleep time: -239343s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2276	Thread sleep time: -239234s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 6604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 6076	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 6076	Thread sleep time: -240000s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 6076	Thread sleep time: -239859s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 6076	Thread sleep time: -239750s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 6076	Thread sleep time: -239640s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 6076	Thread sleep time: -239531s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 6076	Thread sleep time: -239417s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 6076	Thread sleep time: -239312s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 6076	Thread sleep time: -239203s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 5620	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 3332	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 3332	Thread sleep time: -240000s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 3332	Thread sleep time: -239891s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 3332	Thread sleep time: -239766s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 3332	Thread sleep time: -239657s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 3332	Thread sleep time: -239532s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 3332	Thread sleep time: -239422s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 3332	Thread sleep time: -239312s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 3332	Thread sleep time: -239204s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 4324	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	2_2_00409253
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	2_2_0041C291
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	2_2_0040C34D
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	2_2_00409665
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0044E879 FindFirstFileExA,	2_2_0044E879
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	2_2_0040880C
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040783C FindFirstFileW,FindNextFileW,	2_2_0040783C
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	2_2_00419AF5
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_0040BB30
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	2_2_0040BD37
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_100010F1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_10006580 FindFirstFileExA,	4_2_10006580
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0040B477 FindFirstFileW,FindNextFileW,	5_2_0040B477
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	6_2_00407EF8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	7_2_00407898

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

2_2_00407C97

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 5_2_0041A8D8 memset,GetSystemInfo,

5_2_0041A8D8

Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 239871	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 239750	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 239640	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 239531	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 239422	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 239312	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 239193	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 239024	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 238917	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239884	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239766	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239655	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239510	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239391	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239281	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239172	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239063	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239890	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239781	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239672	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239561	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239452	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239343	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239234	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 240000
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239859
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239750
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239640
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239531
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239417
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239312
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239203
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 240000
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239891
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239766
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239657
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239532
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239422
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239312
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239204
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: Adobe.exe, 00000004.00000002.4540588176.000000000141B000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000004.00000002.4540588176.0000000001397000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\ProgramData\Adobe\Adobe.exe

API call chain: ExitProcess graph end node

Source: C:\ProgramData\Adobe\Adobe.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 0_2_04E41AD0 CheckRemoteDebuggerPresent,

0_2_04E41AD0

Source: C:\Users\user\Desktop\.....scr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process queried: DebugPort
Source: C:\ProgramData\Adobe\Adobe.exe	Process queried: DebugPort
Source: C:\ProgramData\Adobe\Adobe.exe	Process queried: DebugPort
Source: C:\ProgramData\Adobe\Adobe.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_004349F9

Source: C:\ProgramData\Adobe\Adobe.exe

5_2_0040BAE3

Source: C:\Users\user\Desktop\.....scr.exe

2_2_0041CB50

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004432B5 mov eax, dword ptr fs:[00000030h]		2_2_004432B5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_10004AB4 mov eax, dword ptr fs:[00000030h]		4_2_10004AB4

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00412077 GetProcessHeap,HeapFree,

2_2_00412077

Source: C:\Users\user\Desktop\.....scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004349F9
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00434B47 SetUnhandledExceptionFilter,	2_2_00434B47
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0043BB22
Source: C:\Users\user\Desktop\.....scr.exe	Code function: 2_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00434FDC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_100060E2
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_10002639
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_10002B1C

Source: C:\Users\user\Desktop\.....scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\.....scr.exe	Memory written: C:\Users\user\Desktop\.....scr.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5A
Source: C:\ProgramData\Adobe\Adobe.exe	Memory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\.....scr.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

2_2_004120F7

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00419627 mouse_event,

2_2_00419627

Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\Users\user\Desktop\.....scr.exe "C:\Users\user\Desktop\.....scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\zfhbftv"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\khnlgmgdmv"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\ubseheqfidklro"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"

Source: Adobe.exe, 00000004.00000002.4540588176.00000000013F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Adobe.exe, 00000004.00000002.4540588176.00000000013F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:M
Source: Adobe.exe, 00000004.00000002.4540588176.00000000013F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager{M
Source: Adobe.exe, 00000004.00000002.4540588176.0000000001397000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: Adobe.exe, 00000004.00000002.4540588176.00000000013F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager1M

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00434C52 cpuid

2_2_00434C52

Source: C:\Users\user\Desktop\.....scr.exe	Code function: EnumSystemLocalesW,	2_2_00452036
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_004520C3
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoW,	2_2_00452313
Source: C:\Users\user\Desktop\.....scr.exe	Code function: EnumSystemLocalesW,	2_2_00448404
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0045243C
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoW,	2_2_00452543
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00452610
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoA,	2_2_0040F8D1
Source: C:\Users\user\Desktop\.....scr.exe	Code function: GetLocaleInfoW,	2_2_004488ED
Source: C:\Users\user\Desktop\.....scr.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_00451CD8
Source: C:\Users\user\Desktop\.....scr.exe	Code function: EnumSystemLocalesW,	2_2_00451F50
Source: C:\Users\user\Desktop\.....scr.exe	Code function: EnumSystemLocalesW,	2_2_00451F9B

Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Users\user\Desktop\.....scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\.....scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0040B164 GetLocalTime,wsprintfW,

2_2_0040B164

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_0041B60D GetUserNameW,

2_2_0041B60D

Source: C:\Users\user\Desktop\.....scr.exe

Code function: 2_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

2_2_00449190

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 5_2_004192F2 GetVersionExW,

5_2_004192F2

Source: C:\Users\user\Desktop\.....scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.46efe70.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3b65570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4677250.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3bde190.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3bde190.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3b65570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.46efe70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4677250.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2108431785.00000000010EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2309548998.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2225585344.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2388493354.0000000000F07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4540588176.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2133072296.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2104065233.0000000004677000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 3936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 5068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 6512, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\.....scr.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

2_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\.....scr.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		2_2_0040BB30
Source: C:\Users\user\Desktop\.....scr.exe	Code function: \key3.db		2_2_0040BB30

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\ProgramData\Adobe\Adobe.exe	Code function: ESMTPPassword	6_2_004033F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	6_2_00402DB3
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	6_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 5.2.Adobe.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2175686240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 2508, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 2.2......scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.46efe70.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3b65570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4677250.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2......scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3bde190.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3bde190.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Adobe.exe.3b65570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.46efe70.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2......scr.exe.4677250.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2108431785.00000000010EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2309548998.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2105478831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2225585344.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2388493354.0000000000F07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4540588176.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2133072296.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2104065233.0000000004677000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .....scr.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 3936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 5068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 6512, type: MEMORYSTR

Source: C:\Users\user\Desktop\.....scr.exe

Code function: cmd.exe

2_2_0040569A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	4 Obfuscated Files or Information	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	13 Software Packing	3 Credentials In Files	4 File and Directory Discovery	Distributed Component Object Model	111 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	222 Process Injection	1 Timestomp	LSA Secrets	38 System Information Discovery	SSH	3 Clipboard Data	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	241 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Bypass User Account Control	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	41 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	222 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report .....scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
.....scr.exe