Windows Analysis Report 6122.scr.exe

AI detected suspicious sample

Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2250791131.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2159549546.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2323206616.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2048067973.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 2220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 4476, type: MEMORYSTR

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\Adobe\Adobe.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 6122.scr.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

3_2_00433837

Source: 6122.scr.exe, 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_de751f6d-6

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_004074FD _wcslen,CoGetObject,

3_2_004074FD

Source: 6122.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6122.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: yslI.pdbSHA256 source: 6122.scr.exe, Adobe.exe.3.dr
Source:	Binary string: yslI.pdb source: 6122.scr.exe, Adobe.exe.3.dr

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_00409253
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_0041C291
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_0040C34D
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_00409665
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0044E879 FindFirstFileExA,	3_2_0044E879
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_0040880C
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040783C FindFirstFileW,FindNextFileW,	3_2_0040783C
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_00419AF5
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0040BB30
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0040BD37
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_100010F1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10006580 FindFirstFileExA,	5_2_10006580
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040AE51 FindFirstFileW,FindNextFileW,	6_2_0040AE51
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	7_2_00407EF8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	8_2_00407898

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

Suricata IDS alerts for network traffic

Networking

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49707 -> 104.250.180.178:7902
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49709 -> 104.250.180.178:7902

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.250.180.178

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 104.250.180.178:7902

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.250.180.178 104.250.180.178
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49710 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_0041B380

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: Adobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: Adobe.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: Adobe.exe, 00000005.00000002.4500521486.0000000001322000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: 6122.scr.exe, Adobe.exe, 00000005.00000002.4500276839.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: Adobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp%r
Source: 6122.scr.exe, 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, 6122.scr.exe, 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, 6122.scr.exe, 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: Adobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gptr$
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://ocspx.digicert.com0E
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: Adobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: Adobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
Source: Adobe.exe, 00000006.00000002.2131344664.0000000000CF4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: Adobe.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: Adobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Adobe.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

3_2_0040A2B8

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	3_2_004168C1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	6_2_0040987A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	6_2_004098E2
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	7_2_00406DFC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	7_2_00406E9F
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	8_2_004068B5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	8_2_004072B5

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

3_2_0040A3E0

E-Banking Fraud

Contains functionalty to change the wallpaper

Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2250791131.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2159549546.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2323206616.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2048067973.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 2220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 4476, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0041C9E2 SystemParametersInfoW,

3_2_0041C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Contains functionality to call native functions

Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	6_2_0040DD85
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00401806 NtdllDefWindowProc_W,	6_2_00401806
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004018C0 NtdllDefWindowProc_W,	6_2_004018C0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004016FD NtdllDefWindowProc_A,	7_2_004016FD
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004017B7 NtdllDefWindowProc_A,	7_2_004017B7
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00402CAC NtdllDefWindowProc_A,	8_2_00402CAC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00402D66 NtdllDefWindowProc_A,	8_2_00402D66

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

3_2_004167B4

Detected potential crypto function

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 0_2_017C4B01	0_2_017C4B01
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 0_2_017CDE4C	0_2_017CDE4C
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 0_2_078F2E20	0_2_078F2E20
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0043E0CC	3_2_0043E0CC
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0041F0FA	3_2_0041F0FA
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00454159	3_2_00454159
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00438168	3_2_00438168
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_004461F0	3_2_004461F0
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0043E2FB	3_2_0043E2FB
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0045332B	3_2_0045332B
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0042739D	3_2_0042739D
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_004374E6	3_2_004374E6
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0043E558	3_2_0043E558
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00438770	3_2_00438770
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_004378FE	3_2_004378FE
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00433946	3_2_00433946
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0044D9C9	3_2_0044D9C9
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00427A46	3_2_00427A46
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0041DB62	3_2_0041DB62
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00427BAF	3_2_00427BAF
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00437D33	3_2_00437D33
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00435E5E	3_2_00435E5E
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00426E0E	3_2_00426E0E
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0043DE9D	3_2_0043DE9D
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00413FCA	3_2_00413FCA
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00436FEA	3_2_00436FEA
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_0149DE4C	4_2_0149DE4C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_079F2E20	4_2_079F2E20
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10017194	5_2_10017194
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_1000B5C1	5_2_1000B5C1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044B040	6_2_0044B040
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0043610D	6_2_0043610D
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00447310	6_2_00447310
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044A490	6_2_0044A490
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040755A	6_2_0040755A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0043C560	6_2_0043C560
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044B610	6_2_0044B610
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044D6C0	6_2_0044D6C0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004476F0	6_2_004476F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044B870	6_2_0044B870
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044081D	6_2_0044081D
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00414957	6_2_00414957
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004079EE	6_2_004079EE
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00407AEB	6_2_00407AEB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044AA80	6_2_0044AA80
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00412AA9	6_2_00412AA9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00404B74	6_2_00404B74
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00404B03	6_2_00404B03
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044BBD8	6_2_0044BBD8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00404BE5	6_2_00404BE5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00404C76	6_2_00404C76
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00415CFE	6_2_00415CFE
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00416D72	6_2_00416D72
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00446D30	6_2_00446D30
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00446D8B	6_2_00446D8B
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00406E8F	6_2_00406E8F
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00405038	7_2_00405038
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0041208C	7_2_0041208C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004050A9	7_2_004050A9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0040511A	7_2_0040511A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0043C13A	7_2_0043C13A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004051AB	7_2_004051AB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00449300	7_2_00449300
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0040D322	7_2_0040D322
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0044A4F0	7_2_0044A4F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0043A5AB	7_2_0043A5AB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00413631	7_2_00413631
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00446690	7_2_00446690
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0044A730	7_2_0044A730
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004398D8	7_2_004398D8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004498E0	7_2_004498E0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0044A886	7_2_0044A886
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0043DA09	7_2_0043DA09
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00438D5E	7_2_00438D5E
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00449ED0	7_2_00449ED0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0041FE83	7_2_0041FE83
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00430F54	7_2_00430F54
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004050C2	8_2_004050C2
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004014AB	8_2_004014AB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00405133	8_2_00405133
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004051A4	8_2_004051A4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00401246	8_2_00401246
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0040CA46	8_2_0040CA46
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00405235	8_2_00405235
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004032C8	8_2_004032C8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00401689	8_2_00401689
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00402F60	8_2_00402F60
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_0155DE4C	9_2_0155DE4C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_05577368	9_2_05577368
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_05570040	9_2_05570040
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_05570006	9_2_05570006
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_05577358	9_2_05577358
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_074F2E20	9_2_074F2E20
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_02EDDE4C	12_2_02EDDE4C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_059383C8	12_2_059383C8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_059337BF	12_2_059337BF
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_059337F8	12_2_059337F8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_0593E740	12_2_0593E740
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_0593C668	12_2_0593C668
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_0593C230	12_2_0593C230
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_0593C220	12_2_0593C220
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_0593BDC0	12_2_0593BDC0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_0593CA8F	12_2_0593CA8F
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_0593CAA0	12_2_0593CAA0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_07272E20	12_2_07272E20
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 14_2_00F1DE4C	14_2_00F1DE4C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 14_2_06B92E20	14_2_06B92E20

Found potential string decryption / allocating functions

Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 004165FF appears 35 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00422297 appears 42 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00413025 appears 79 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00416760 appears 69 times
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: String function: 00401E65 appears 34 times

Sample file is different than original file name gathered from version info

Source: 6122.scr.exe, 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 6122.scr.exe
Source: 6122.scr.exe, 00000000.00000000.2032745011.0000000000EF0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameyslI.exeD vs 6122.scr.exe
Source: 6122.scr.exe, 00000000.00000002.2062560901.0000000008340000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 6122.scr.exe
Source: 6122.scr.exe, 00000003.00000002.2048067973.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameyslID vs 6122.scr.exe
Source: 6122.scr.exe	Binary or memory string: OriginalFilenameyslI.exeD vs 6122.scr.exe

Source: 6122.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: 6122.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Adobe.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, lMlittINpsxqyHRioh.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	Security API names: _0020.SetAccessControl
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	Security API names: _0020.AddAccessRule
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	Security API names: _0020.SetAccessControl
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	Security API names: _0020.AddAccessRule
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, lMlittINpsxqyHRioh.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@22/7@1/2

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 6_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

6_2_004182CE

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		3_2_00417952
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,		8_2_00410DE1

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 6_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

6_2_00418758

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

3_2_0040F474

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

3_2_0041B4A8

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\6122.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6122.scr.exe.log

Source: C:\ProgramData\Adobe\Adobe.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe-OTOIRK
Source: C:\ProgramData\Adobe\Adobe.exe	Mutant created: NULL

Source: C:\ProgramData\Adobe\Adobe.exe

File created: C:\Users\user\AppData\Local\Temp\bhv22E2.tmp

Source: 6122.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 6122.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\ProgramData\Adobe\Adobe.exe

System information queried: HandleInformation

Source: C:\Users\user\Desktop\6122.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\6122.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Adobe.exe, Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Adobe.exe, Adobe.exe, 00000007.00000002.2123873809.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Adobe.exe, Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Adobe.exe, Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Adobe.exe, Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Adobe.exe, 00000006.00000002.2132215034.00000000012EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Adobe.exe, Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 6122.scr.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\6122.scr.exe

File read: C:\Users\user\Desktop\6122.scr.exe

Source: C:\ProgramData\Adobe\Adobe.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"
Source: C:\Users\user\Desktop\6122.scr.exe	Process created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"
Source: C:\Users\user\Desktop\6122.scr.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\kdsjilcrslq"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\vxgujvmlgtiaot"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\xrlnjoxmubafqzncq"
Source: unknown	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: unknown	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: unknown	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\Users\user\Desktop\6122.scr.exe	Process created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\kdsjilcrslq"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\vxgujvmlgtiaot"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\xrlnjoxmubafqzncq"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"

Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll

Source: C:\Users\user\Desktop\6122.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\6122.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\ProgramData\Adobe\Adobe.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

.NET source code contains potential unpacker

Source: 6122.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 6122.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 6122.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: yslI.pdbSHA256 source: 6122.scr.exe, Adobe.exe.3.dr
Source:	Binary string: yslI.pdb source: 6122.scr.exe, Adobe.exe.3.dr

Data Obfuscation

Source: 6122.scr.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	.Net Code: nSC2GcWyVM System.Reflection.Assembly.Load(byte[])
Source: 0.2.6122.scr.exe.325e8c8.1.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.6122.scr.exe.5ae0000.7.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	.Net Code: nSC2GcWyVM System.Reflection.Assembly.Load(byte[])
Source: 0.2.6122.scr.exe.32a418c.2.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.6122.scr.exe.32ad7a4.3.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.6122.scr.exe.32552b0.0.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: Adobe.exe.3.dr, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 4.2.Adobe.exe.31d5288.0.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 4.2.Adobe.exe.322d71c.3.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 4.2.Adobe.exe.3224104.2.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: 6122.scr.exe

Static PE information: 0x9EE6543A [Wed Jun 24 06:22:50 2054 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00457106 push ecx; ret	3_2_00457119
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0045B11A push esp; ret	3_2_0045B141
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0045E54D push esi; ret	3_2_0045E556
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00457A28 push eax; ret	3_2_00457A46
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00434E56 push ecx; ret	3_2_00434E69
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10002806 push ecx; ret	5_2_10002819
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044693D push ecx; ret	6_2_0044694D
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044DB70 push eax; ret	6_2_0044DB84
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044DB70 push eax; ret	6_2_0044DBAC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00451D54 push eax; ret	6_2_00451D61
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0044B090 push eax; ret	7_2_0044B0A4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0044B090 push eax; ret	7_2_0044B0CC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00451D34 push eax; ret	7_2_00451D41
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00444E71 push ecx; ret	7_2_00444E81
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00414060 push eax; ret	8_2_00414074
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00414060 push eax; ret	8_2_0041409C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00414039 push ecx; ret	8_2_00414049
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004164EB push 0000006Ah; retf	8_2_004165C4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00416553 push 0000006Ah; retf	8_2_004165C4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00416555 push 0000006Ah; retf	8_2_004165C4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_0155EF82 push eax; iretd	9_2_0155EF89
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_02EDEF82 push eax; iretd	12_2_02EDEF89
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 14_2_06B90006 push es; ret	14_2_06B9001C

Source: 6122.scr.exe	Static PE information: section name: .text entropy: 7.920388843552256
Source: Adobe.exe.3.dr	Static PE information: section name: .text entropy: 7.920388843552256

Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, oUXl38Qon5Z7tsM4nR.cs	High entropy of concatenated method names: 'HDvcsxy13C', 'uYjcLx7Zqx', 'hm9c2UO6Z5', 'r6Mcv3OEd6', 'oLtcua5NXD', 'RUZcjckD7r', 'agicoJs5mV', 'vowitx9Gpw', 'v1Pi6CSUOT', 'H06ifQmQMH'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	High entropy of concatenated method names: 'eSPLTIkfeD', 'D33Lv7lihn', 'cKoLu3JTDO', 'k6YLVnbh2R', 'PCXLjxnUtp', 'ew5LoTpegF', 'FmtLCGHRUw', 'oFcLW2Gywt', 'TQ3L8A86nn', 'PO2LA1bGVy'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, MMRRymsLRW3q82QOYGu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c6mb1lWoat', 'dZrbOiomQS', 'C1VbBGZEd4', 'miAbk24uIe', 'S0VbNies1F', 'chdbYk72K8', 'RgMbtAi8nP'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, YejYQrk0TLI7mPPhDK.cs	High entropy of concatenated method names: 'FCSPAn28sT', 'jIVPy2RdWp', 'ToString', 'cFAPvvXcTw', 'aRkPuyfnvq', 'QNPPVnyA4P', 'fh9PjK3NuF', 'Y24PomorpU', 'c8kPCTRSUh', 'htrPWWoemB'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, oEobZI1envoIa4Slio.cs	High entropy of concatenated method names: 'hukMSxGTXM', 'G49M9VmlOA', 'kP0M1YyDEp', 'PAZMOIi7f5', 'VUaMUIaert', 'QFtMxvVRYF', 'tu7MDcOBDL', 'S7WMlh2Uyi', 'x0DMEy9cOD', 'm8JMHkFyIi'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, vM77OVB0h5ZGs4LVvp.cs	High entropy of concatenated method names: 'ToString', 'XXVRmu5uGC', 'zx1RUhPoWJ', 'J4DRxCwv8D', 'HIIRDr3k6D', 'iYyRlQlviT', 'DfWRETM1QA', 'g31RHg2APk', 'lyqRFsIOtp', 'RhfRehAZov'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, fU8tOTH00QywT4N2NP.cs	High entropy of concatenated method names: 'En7CvMuLVT', 'sa4CVw5ixI', 'mgaCopdMcp', 'qSboQLnP3L', 'oVjozkmClU', 'A4PCw4bJrO', 'PnTCs5hyeJ', 'wbdCh0opnI', 'q9GCLx9MaX', 'pNxC22qvpg'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, WGlAZZKGAXV6pDSItG.cs	High entropy of concatenated method names: 'KECV01pRxA', 'yt7V7ot9dB', 'pJDVISwETY', 'bLGVKaW2cm', 'yoYVM6EDtn', 'TO9VRxJmh5', 'HmrVPVkqKw', 'KJXViYYJkq', 'hlIVcfifjw', 'nmaVbIVgKb'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, bDbkxKgtfhD1VVvXIL.cs	High entropy of concatenated method names: 'pQloTQyQaL', 'nA5ouCki8G', 'F6Ooj34PK0', 'UIkoCuDLqm', 'c8noW63dKi', 'eC9jNW5dIP', 'DjFjYg4dqs', 'KTkjt5fAln', 'ufEj6HY3ff', 'WHWjf1ZcMk'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, BRqveBeSRUwbIX859D.cs	High entropy of concatenated method names: 'p2mCqpFCPn', 'GxhCaKsNJA', 'YsgCGTHgfT', 'sdrC0KVIcb', 'qNwCXhqVh2', 'z6AC73mO5R', 'Dd9C5l30hU', 'jSBCILHUuY', 'weWCKlou8x', 'ObDCrlEc9C'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, s1JCvvuEraKO4aO8c1.cs	High entropy of concatenated method names: 'Dispose', 'fdOsfk1qEl', 'bjphU7jAf5', 'AtPYY8CAsf', 'qYSsQJd1vU', 'biVszO0WRS', 'ProcessDialogKey', 'xtFhw94Fda', 'HDthsLSt5Y', 'w6whhMUXl3'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, M94FdafxDtLSt5Y46w.cs	High entropy of concatenated method names: 'keqigx41oc', 'XhtiUJKLwb', 'BcpixN9W6f', 'kIViDJGOZo', 'ubhi13R5Ji', 'AHYiliTA72', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, SKXiGDrAfbiCHdSK3S.cs	High entropy of concatenated method names: 'aQejXQRAyk', 'zMQj5aRlSw', 'S0kVxnXbiU', 'OKoVD5oDUM', 'o05VlNXlj3', 'cL1VEXVdrx', 'rWkVHOJHNL', 'V4wVF9EBCh', 'iE8VeYuJJJ', 'XJsVSAIePt'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, YmnKt3swn5cFxyQhobJ.cs	High entropy of concatenated method names: 'H89cqngEQf', 'mlWcadK5Y6', 'mBFcG25isD', 'Gmvc00dqgD', 'gaocXlOKfj', 'wEYc7U3gpq', 'udLc5DPouo', 'j2TcIufgk5', 'MEgcKoU7gA', 'zO7cr9pGa3'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, qTxWgB33udNUpZMyHq.cs	High entropy of concatenated method names: 'd79pIS5W9a', 'xZBpKi0YDv', 'vERpgMJwo8', 'ouWpU4dx4U', 'zUBpDE76t4', 'NaxpliSCDw', 'LZdpHZT9N6', 'xwXpFk6aTu', 'QjdpSySOWr', 'qkOpmxKRvL'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, VSJd1v6UsiVO0WRSZt.cs	High entropy of concatenated method names: 'w2Kiv2isUi', 'AQNiukQSeO', 'yeOiVohAQ4', 'kb0ijiiSpT', 'Eskio3JAE0', 'eVPiCBt5ZR', 'ig4iWSOuee', 'vN9i88maxh', 'KMYiADA7wC', 'wOViyy85Tt'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, lmin8QhhIQq4ovY4Tc.cs	High entropy of concatenated method names: 'xvoGtBDNZ', 'UZo0APtET', 'JXl7TZZL9', 'HvT5lhTfv', 'w41KkBBV6', 'JhGrcqeha', 'MK7d1pC7PU0Cla9Ckv', 'O9eoWmpHRR5hJAN49G', 'T8OigULDp', 'VgZb3YDe9'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, d3UmV22nuMAGQR9kgB.cs	High entropy of concatenated method names: 'CNAsCMlitt', 'UpssWxqyHR', 'xGAsAXV6pD', 'NItsyGOKXi', 'uSKsM3ShDb', 'TxKsRtfhD1', 'FWt3APEdFEO7YKsLsg', 'ORyPgb3ecawqpWNOT5', 't1Rssd0O68', 'uSlsLFC7LK'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, cMxtSezGcjyLrA6GXP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C2Scpp5bpC', 'XbecMsJSWc', 'J5EcRYKie8', 'pXkcPKEGJZ', 'sX6ci8q33F', 'O4MccIB4mK', 'eKqcbMRZA3'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, lMlittINpsxqyHRioh.cs	High entropy of concatenated method names: 'cIpu1thYrm', 'jdNuO3lMgP', 'IlZuBlyHTs', 'n4RukX38MA', 'GrLuNa1oP4', 'UOSuY0NRDg', 'yjKut27e5u', 'dPRu6c1Ahr', 'dUZufDNsoB', 'FKiuQAjpbw'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, Rre25hYWnTuqvUqFJf.cs	High entropy of concatenated method names: 'hsxP6eGYqm', 'hR3PQWay4U', 'Nf6iw75NSh', 'Ceqis2gimp', 'F5NPmAPZTV', 'Q8nP9RdXbL', 'bOdP3WcbBU', 'NJZP1Kokjg', 'hAxPOu8TLg', 'MGFPBgqSIx'
Source: 0.2.6122.scr.exe.325e8c8.1.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.6122.scr.exe.5ae0000.7.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, oUXl38Qon5Z7tsM4nR.cs	High entropy of concatenated method names: 'HDvcsxy13C', 'uYjcLx7Zqx', 'hm9c2UO6Z5', 'r6Mcv3OEd6', 'oLtcua5NXD', 'RUZcjckD7r', 'agicoJs5mV', 'vowitx9Gpw', 'v1Pi6CSUOT', 'H06ifQmQMH'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	High entropy of concatenated method names: 'eSPLTIkfeD', 'D33Lv7lihn', 'cKoLu3JTDO', 'k6YLVnbh2R', 'PCXLjxnUtp', 'ew5LoTpegF', 'FmtLCGHRUw', 'oFcLW2Gywt', 'TQ3L8A86nn', 'PO2LA1bGVy'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, MMRRymsLRW3q82QOYGu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c6mb1lWoat', 'dZrbOiomQS', 'C1VbBGZEd4', 'miAbk24uIe', 'S0VbNies1F', 'chdbYk72K8', 'RgMbtAi8nP'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, YejYQrk0TLI7mPPhDK.cs	High entropy of concatenated method names: 'FCSPAn28sT', 'jIVPy2RdWp', 'ToString', 'cFAPvvXcTw', 'aRkPuyfnvq', 'QNPPVnyA4P', 'fh9PjK3NuF', 'Y24PomorpU', 'c8kPCTRSUh', 'htrPWWoemB'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, oEobZI1envoIa4Slio.cs	High entropy of concatenated method names: 'hukMSxGTXM', 'G49M9VmlOA', 'kP0M1YyDEp', 'PAZMOIi7f5', 'VUaMUIaert', 'QFtMxvVRYF', 'tu7MDcOBDL', 'S7WMlh2Uyi', 'x0DMEy9cOD', 'm8JMHkFyIi'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, vM77OVB0h5ZGs4LVvp.cs	High entropy of concatenated method names: 'ToString', 'XXVRmu5uGC', 'zx1RUhPoWJ', 'J4DRxCwv8D', 'HIIRDr3k6D', 'iYyRlQlviT', 'DfWRETM1QA', 'g31RHg2APk', 'lyqRFsIOtp', 'RhfRehAZov'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, fU8tOTH00QywT4N2NP.cs	High entropy of concatenated method names: 'En7CvMuLVT', 'sa4CVw5ixI', 'mgaCopdMcp', 'qSboQLnP3L', 'oVjozkmClU', 'A4PCw4bJrO', 'PnTCs5hyeJ', 'wbdCh0opnI', 'q9GCLx9MaX', 'pNxC22qvpg'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, WGlAZZKGAXV6pDSItG.cs	High entropy of concatenated method names: 'KECV01pRxA', 'yt7V7ot9dB', 'pJDVISwETY', 'bLGVKaW2cm', 'yoYVM6EDtn', 'TO9VRxJmh5', 'HmrVPVkqKw', 'KJXViYYJkq', 'hlIVcfifjw', 'nmaVbIVgKb'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, bDbkxKgtfhD1VVvXIL.cs	High entropy of concatenated method names: 'pQloTQyQaL', 'nA5ouCki8G', 'F6Ooj34PK0', 'UIkoCuDLqm', 'c8noW63dKi', 'eC9jNW5dIP', 'DjFjYg4dqs', 'KTkjt5fAln', 'ufEj6HY3ff', 'WHWjf1ZcMk'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, BRqveBeSRUwbIX859D.cs	High entropy of concatenated method names: 'p2mCqpFCPn', 'GxhCaKsNJA', 'YsgCGTHgfT', 'sdrC0KVIcb', 'qNwCXhqVh2', 'z6AC73mO5R', 'Dd9C5l30hU', 'jSBCILHUuY', 'weWCKlou8x', 'ObDCrlEc9C'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, s1JCvvuEraKO4aO8c1.cs	High entropy of concatenated method names: 'Dispose', 'fdOsfk1qEl', 'bjphU7jAf5', 'AtPYY8CAsf', 'qYSsQJd1vU', 'biVszO0WRS', 'ProcessDialogKey', 'xtFhw94Fda', 'HDthsLSt5Y', 'w6whhMUXl3'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, M94FdafxDtLSt5Y46w.cs	High entropy of concatenated method names: 'keqigx41oc', 'XhtiUJKLwb', 'BcpixN9W6f', 'kIViDJGOZo', 'ubhi13R5Ji', 'AHYiliTA72', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, SKXiGDrAfbiCHdSK3S.cs	High entropy of concatenated method names: 'aQejXQRAyk', 'zMQj5aRlSw', 'S0kVxnXbiU', 'OKoVD5oDUM', 'o05VlNXlj3', 'cL1VEXVdrx', 'rWkVHOJHNL', 'V4wVF9EBCh', 'iE8VeYuJJJ', 'XJsVSAIePt'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, YmnKt3swn5cFxyQhobJ.cs	High entropy of concatenated method names: 'H89cqngEQf', 'mlWcadK5Y6', 'mBFcG25isD', 'Gmvc00dqgD', 'gaocXlOKfj', 'wEYc7U3gpq', 'udLc5DPouo', 'j2TcIufgk5', 'MEgcKoU7gA', 'zO7cr9pGa3'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, qTxWgB33udNUpZMyHq.cs	High entropy of concatenated method names: 'd79pIS5W9a', 'xZBpKi0YDv', 'vERpgMJwo8', 'ouWpU4dx4U', 'zUBpDE76t4', 'NaxpliSCDw', 'LZdpHZT9N6', 'xwXpFk6aTu', 'QjdpSySOWr', 'qkOpmxKRvL'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, VSJd1v6UsiVO0WRSZt.cs	High entropy of concatenated method names: 'w2Kiv2isUi', 'AQNiukQSeO', 'yeOiVohAQ4', 'kb0ijiiSpT', 'Eskio3JAE0', 'eVPiCBt5ZR', 'ig4iWSOuee', 'vN9i88maxh', 'KMYiADA7wC', 'wOViyy85Tt'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, lmin8QhhIQq4ovY4Tc.cs	High entropy of concatenated method names: 'xvoGtBDNZ', 'UZo0APtET', 'JXl7TZZL9', 'HvT5lhTfv', 'w41KkBBV6', 'JhGrcqeha', 'MK7d1pC7PU0Cla9Ckv', 'O9eoWmpHRR5hJAN49G', 'T8OigULDp', 'VgZb3YDe9'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, d3UmV22nuMAGQR9kgB.cs	High entropy of concatenated method names: 'CNAsCMlitt', 'UpssWxqyHR', 'xGAsAXV6pD', 'NItsyGOKXi', 'uSKsM3ShDb', 'TxKsRtfhD1', 'FWt3APEdFEO7YKsLsg', 'ORyPgb3ecawqpWNOT5', 't1Rssd0O68', 'uSlsLFC7LK'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, cMxtSezGcjyLrA6GXP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C2Scpp5bpC', 'XbecMsJSWc', 'J5EcRYKie8', 'pXkcPKEGJZ', 'sX6ci8q33F', 'O4MccIB4mK', 'eKqcbMRZA3'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, lMlittINpsxqyHRioh.cs	High entropy of concatenated method names: 'cIpu1thYrm', 'jdNuO3lMgP', 'IlZuBlyHTs', 'n4RukX38MA', 'GrLuNa1oP4', 'UOSuY0NRDg', 'yjKut27e5u', 'dPRu6c1Ahr', 'dUZufDNsoB', 'FKiuQAjpbw'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, Rre25hYWnTuqvUqFJf.cs	High entropy of concatenated method names: 'hsxP6eGYqm', 'hR3PQWay4U', 'Nf6iw75NSh', 'Ceqis2gimp', 'F5NPmAPZTV', 'Q8nP9RdXbL', 'bOdP3WcbBU', 'NJZP1Kokjg', 'hAxPOu8TLg', 'MGFPBgqSIx'
Source: 0.2.6122.scr.exe.32a418c.2.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.6122.scr.exe.32ad7a4.3.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.6122.scr.exe.32552b0.0.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 4.2.Adobe.exe.31d5288.0.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 4.2.Adobe.exe.322d71c.3.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 4.2.Adobe.exe.3224104.2.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\6122.scr.exe

File written: C:\ProgramData\Adobe\Adobe.exe

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

3_2_00406EB0

Drops PE files

Source: C:\Users\user\Desktop\6122.scr.exe

File created: C:\ProgramData\Adobe\Adobe.exe

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\6122.scr.exe

File created: C:\ProgramData\Adobe\Adobe.exe

Creates autostart registry keys with suspicious names

Boot Survival

Source: C:\Users\user\Desktop\6122.scr.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\6122.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior

Source: C:\Users\user\Desktop\6122.scr.exe

Delayed program exit found

Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 4500, type: MEMORYSTR

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0040F7A7 Sleep,ExitProcess,

3_2_0040F7A7

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\6122.scr.exe	Memory allocated: 1770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Memory allocated: 3220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Memory allocated: 5220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Memory allocated: 8500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Memory allocated: 9500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Memory allocated: 96C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Memory allocated: A6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 1490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 51A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 7FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 8FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 9170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: A170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 1550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 3040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 7E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 8E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 9010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: A010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 7C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 8C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 8E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 9E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: ED0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2970000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2880000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 7710000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 8710000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 88C0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 98C0000 memory reserve \| memory write watch

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 6_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

3_2_0041A748

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\6122.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 1219			Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 8769			Jump to behavior

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\6122.scr.exe	Evaded block: after key decision
Source: C:\Users\user\Desktop\6122.scr.exe	Evaded block: after key decision

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\6122.scr.exe	API coverage: 6.3 %
Source: C:\ProgramData\Adobe\Adobe.exe	API coverage: 9.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\6122.scr.exe TID: 6804	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 6604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2132	Thread sleep count: 1219 > 30	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2132	Thread sleep time: -3657000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2132	Thread sleep count: 8769 > 30	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2132	Thread sleep time: -26307000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 5068	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_00409253
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_0041C291
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_0040C34D
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_00409665
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0044E879 FindFirstFileExA,	3_2_0044E879
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_0040880C
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040783C FindFirstFileW,FindNextFileW,	3_2_0040783C
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_00419AF5
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0040BB30
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0040BD37
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_100010F1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10006580 FindFirstFileExA,	5_2_10006580
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040AE51 FindFirstFileW,FindNextFileW,	6_2_0040AE51
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	7_2_00407EF8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	8_2_00407898

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 6_2_00418981 memset,GetSystemInfo,

6_2_00418981

Source: C:\Users\user\Desktop\6122.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477

Source: Adobe.exe, 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000005.00000002.4500521486.000000000132B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhv22E2.tmp.6.dr	Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US

Source: C:\ProgramData\Adobe\Adobe.exe

API call chain: ExitProcess graph end node

Source: C:\ProgramData\Adobe\Adobe.exe

Process information queried: ProcessInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_004349F9

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\ProgramData\Adobe\Adobe.exe

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\6122.scr.exe

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_004432B5 mov eax, dword ptr fs:[00000030h]		3_2_004432B5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10004AB4 mov eax, dword ptr fs:[00000030h]		5_2_10004AB4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_00412077 GetProcessHeap,HeapFree,

3_2_00412077

Enables debug privileges

Source: C:\ProgramData\Adobe\Adobe.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_004349F9
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00434B47 SetUnhandledExceptionFilter,	3_2_00434B47
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0043BB22
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00434FDC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_100060E2
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_10002639
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_10002B1C

Source: C:\Users\user\Desktop\6122.scr.exe

Memory allocated: page read and write | page guard

Injects a PE file into a foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\ProgramData\Adobe\Adobe.exe

Memory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and write	Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

3_2_004120F7

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_00419627 mouse_event,

3_2_00419627

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\6122.scr.exe	Process created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\kdsjilcrslq"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\vxgujvmlgtiaot"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\xrlnjoxmubafqzncq"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"

Source: Adobe.exe, 00000005.00000002.4500276839.0000000001315000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerH
Source: Adobe.exe, 00000005.00000002.4500276839.0000000001315000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Adobe.exe, 00000005.00000002.4500276839.0000000001315000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerWH}
Source: Adobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_00434C52 cpuid

3_2_00434C52

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: EnumSystemLocalesW,	3_2_00452036
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_004520C3
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: GetLocaleInfoW,	3_2_00452313
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: EnumSystemLocalesW,	3_2_00448404
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0045243C
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: GetLocaleInfoW,	3_2_00452543
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00452610
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: GetLocaleInfoA,	3_2_0040F8D1
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: GetLocaleInfoW,	3_2_004488ED
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_00451CD8
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: EnumSystemLocalesW,	3_2_00451F50
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: EnumSystemLocalesW,	3_2_00451F9B

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\6122.scr.exe	Queries volume information: C:\Users\user\Desktop\6122.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0040B164 GetLocalTime,wsprintfW,

3_2_0040B164

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0041B60D GetUserNameW,

3_2_0041B60D

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

3_2_00449190

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 6_2_0041739B GetVersionExW,

6_2_0041739B

Source: C:\Users\user\Desktop\6122.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Contains functionality to steal Chrome passwords or cookies

Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2250791131.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2159549546.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2323206616.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2048067973.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 2220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 4476, type: MEMORYSTR

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

3_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		3_2_0040BB30
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: \key3.db		3_2_0040BB30

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\ProgramData\Adobe\Adobe.exe	Code function: ESMTPPassword	7_2_004033F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	7_2_00402DB3
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	7_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match

File source: Process Memory Space: Adobe.exe PID: 6948, type: MEMORYSTR

Remote Access Functionality

Contains functionality to launch a control a shell (cmd.exe)

Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2250791131.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2159549546.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2323206616.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2048067973.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 2220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 4476, type: MEMORYSTR

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: cmd.exe

3_2_0040569A

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.250.180.178	unknown	United States		9009	M247GB	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

Contacted Domains

Name	IP	Active
geoplugin.net	178.237.33.50	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
104.250.180.178	true	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown

AV Detection

Found malware configuration

Source: 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmp

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Adobe\Adobe.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: 6122.scr.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2250791131.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2159549546.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2323206616.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2048067973.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 2220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 4476, type: MEMORYSTR

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\Adobe\Adobe.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 6122.scr.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

3_2_00433837

Source: 6122.scr.exe, 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_de751f6d-6

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_004074FD _wcslen,CoGetObject,

3_2_004074FD

Source: 6122.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6122.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: yslI.pdbSHA256 source: 6122.scr.exe, Adobe.exe.3.dr
Source:	Binary string: yslI.pdb source: 6122.scr.exe, Adobe.exe.3.dr

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_00409253
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_0041C291
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_0040C34D
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_00409665
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0044E879 FindFirstFileExA,	3_2_0044E879
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_0040880C
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040783C FindFirstFileW,FindNextFileW,	3_2_0040783C
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_00419AF5
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0040BB30
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0040BD37
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_100010F1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10006580 FindFirstFileExA,	5_2_10006580
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040AE51 FindFirstFileW,FindNextFileW,	6_2_0040AE51
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	7_2_00407EF8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	8_2_00407898

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

Suricata IDS alerts for network traffic

Networking

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49707 -> 104.250.180.178:7902
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49709 -> 104.250.180.178:7902

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.250.180.178

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 104.250.180.178:7902

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.250.180.178 104.250.180.178
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49710 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_0041B380

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: Adobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: Adobe.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: Adobe.exe, 00000005.00000002.4500521486.0000000001322000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: 6122.scr.exe, Adobe.exe, 00000005.00000002.4500276839.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: Adobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp%r
Source: 6122.scr.exe, 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, 6122.scr.exe, 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, 6122.scr.exe, 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: Adobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gptr$
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://ocspx.digicert.com0E
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: Adobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: Adobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhv22E2.tmp.6.dr	String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
Source: Adobe.exe, 00000006.00000002.2131344664.0000000000CF4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: Adobe.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: Adobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Adobe.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv22E2.tmp.6.dr	String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

3_2_0040A2B8

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	3_2_004168C1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	6_2_0040987A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	6_2_004098E2
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	7_2_00406DFC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	7_2_00406E9F
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	8_2_004068B5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	8_2_004072B5

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

3_2_0040A3E0

E-Banking Fraud

Contains functionalty to change the wallpaper

Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2250791131.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2159549546.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2323206616.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2048067973.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 2220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 4476, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0041C9E2 SystemParametersInfoW,

3_2_0041C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Contains functionality to call native functions

Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	6_2_0040DD85
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00401806 NtdllDefWindowProc_W,	6_2_00401806
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004018C0 NtdllDefWindowProc_W,	6_2_004018C0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004016FD NtdllDefWindowProc_A,	7_2_004016FD
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004017B7 NtdllDefWindowProc_A,	7_2_004017B7
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00402CAC NtdllDefWindowProc_A,	8_2_00402CAC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00402D66 NtdllDefWindowProc_A,	8_2_00402D66

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

3_2_004167B4

Detected potential crypto function

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 0_2_017C4B01	0_2_017C4B01
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 0_2_017CDE4C	0_2_017CDE4C
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 0_2_078F2E20	0_2_078F2E20
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0043E0CC	3_2_0043E0CC
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0041F0FA	3_2_0041F0FA
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00454159	3_2_00454159
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00438168	3_2_00438168
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_004461F0	3_2_004461F0
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0043E2FB	3_2_0043E2FB
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0045332B	3_2_0045332B
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0042739D	3_2_0042739D
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_004374E6	3_2_004374E6
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0043E558	3_2_0043E558
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00438770	3_2_00438770
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_004378FE	3_2_004378FE
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00433946	3_2_00433946
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0044D9C9	3_2_0044D9C9
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00427A46	3_2_00427A46
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0041DB62	3_2_0041DB62
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00427BAF	3_2_00427BAF
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00437D33	3_2_00437D33
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00435E5E	3_2_00435E5E
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00426E0E	3_2_00426E0E
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0043DE9D	3_2_0043DE9D
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00413FCA	3_2_00413FCA
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00436FEA	3_2_00436FEA
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_0149DE4C	4_2_0149DE4C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_079F2E20	4_2_079F2E20
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10017194	5_2_10017194
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_1000B5C1	5_2_1000B5C1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044B040	6_2_0044B040
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0043610D	6_2_0043610D
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00447310	6_2_00447310
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044A490	6_2_0044A490
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040755A	6_2_0040755A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0043C560	6_2_0043C560
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044B610	6_2_0044B610
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044D6C0	6_2_0044D6C0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004476F0	6_2_004476F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044B870	6_2_0044B870
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044081D	6_2_0044081D
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00414957	6_2_00414957
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_004079EE	6_2_004079EE
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00407AEB	6_2_00407AEB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044AA80	6_2_0044AA80
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00412AA9	6_2_00412AA9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00404B74	6_2_00404B74
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00404B03	6_2_00404B03
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044BBD8	6_2_0044BBD8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00404BE5	6_2_00404BE5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00404C76	6_2_00404C76
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00415CFE	6_2_00415CFE
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00416D72	6_2_00416D72
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00446D30	6_2_00446D30
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00446D8B	6_2_00446D8B
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00406E8F	6_2_00406E8F
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00405038	7_2_00405038
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0041208C	7_2_0041208C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004050A9	7_2_004050A9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0040511A	7_2_0040511A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0043C13A	7_2_0043C13A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004051AB	7_2_004051AB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00449300	7_2_00449300
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0040D322	7_2_0040D322
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0044A4F0	7_2_0044A4F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0043A5AB	7_2_0043A5AB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00413631	7_2_00413631
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00446690	7_2_00446690
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0044A730	7_2_0044A730
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004398D8	7_2_004398D8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004498E0	7_2_004498E0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0044A886	7_2_0044A886
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0043DA09	7_2_0043DA09
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00438D5E	7_2_00438D5E
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00449ED0	7_2_00449ED0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0041FE83	7_2_0041FE83
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00430F54	7_2_00430F54
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004050C2	8_2_004050C2
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004014AB	8_2_004014AB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00405133	8_2_00405133
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004051A4	8_2_004051A4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00401246	8_2_00401246
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0040CA46	8_2_0040CA46
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00405235	8_2_00405235
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004032C8	8_2_004032C8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00401689	8_2_00401689
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00402F60	8_2_00402F60
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_0155DE4C	9_2_0155DE4C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_05577368	9_2_05577368
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_05570040	9_2_05570040
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_05570006	9_2_05570006
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_05577358	9_2_05577358
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_074F2E20	9_2_074F2E20
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_02EDDE4C	12_2_02EDDE4C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_059383C8	12_2_059383C8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_059337BF	12_2_059337BF
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_059337F8	12_2_059337F8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_0593E740	12_2_0593E740
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_0593C668	12_2_0593C668
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_0593C230	12_2_0593C230
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_0593C220	12_2_0593C220
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_0593BDC0	12_2_0593BDC0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_0593CA8F	12_2_0593CA8F
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_0593CAA0	12_2_0593CAA0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_07272E20	12_2_07272E20
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 14_2_00F1DE4C	14_2_00F1DE4C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 14_2_06B92E20	14_2_06B92E20

Found potential string decryption / allocating functions

Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 004165FF appears 35 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00422297 appears 42 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00413025 appears 79 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00416760 appears 69 times
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: String function: 00401E65 appears 34 times

Sample file is different than original file name gathered from version info

Source: 6122.scr.exe, 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 6122.scr.exe
Source: 6122.scr.exe, 00000000.00000000.2032745011.0000000000EF0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameyslI.exeD vs 6122.scr.exe
Source: 6122.scr.exe, 00000000.00000002.2062560901.0000000008340000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 6122.scr.exe
Source: 6122.scr.exe, 00000003.00000002.2048067973.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameyslID vs 6122.scr.exe
Source: 6122.scr.exe	Binary or memory string: OriginalFilenameyslI.exeD vs 6122.scr.exe

Source: 6122.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: 6122.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Adobe.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, lMlittINpsxqyHRioh.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	Security API names: _0020.SetAccessControl
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	Security API names: _0020.AddAccessRule
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	Security API names: _0020.SetAccessControl
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	Security API names: _0020.AddAccessRule
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, lMlittINpsxqyHRioh.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@22/7@1/2

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 6_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

6_2_004182CE

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		3_2_00417952
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,		8_2_00410DE1

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 6_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

6_2_00418758

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

3_2_0040F474

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

3_2_0041B4A8

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\6122.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6122.scr.exe.log

Source: C:\ProgramData\Adobe\Adobe.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe-OTOIRK
Source: C:\ProgramData\Adobe\Adobe.exe	Mutant created: NULL

Source: C:\ProgramData\Adobe\Adobe.exe

File created: C:\Users\user\AppData\Local\Temp\bhv22E2.tmp

Source: 6122.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 6122.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\ProgramData\Adobe\Adobe.exe

System information queried: HandleInformation

Source: C:\Users\user\Desktop\6122.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\6122.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Adobe.exe, Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Adobe.exe, Adobe.exe, 00000007.00000002.2123873809.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Adobe.exe, Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Adobe.exe, Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Adobe.exe, Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Adobe.exe, 00000006.00000002.2132215034.00000000012EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Adobe.exe, Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 6122.scr.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\6122.scr.exe

File read: C:\Users\user\Desktop\6122.scr.exe

Source: C:\ProgramData\Adobe\Adobe.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"
Source: C:\Users\user\Desktop\6122.scr.exe	Process created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"
Source: C:\Users\user\Desktop\6122.scr.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\kdsjilcrslq"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\vxgujvmlgtiaot"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\xrlnjoxmubafqzncq"
Source: unknown	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: unknown	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: unknown	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\Users\user\Desktop\6122.scr.exe	Process created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\kdsjilcrslq"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\vxgujvmlgtiaot"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\xrlnjoxmubafqzncq"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"

Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll

Source: C:\Users\user\Desktop\6122.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\6122.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\ProgramData\Adobe\Adobe.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

.NET source code contains potential unpacker

Source: 6122.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 6122.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 6122.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: yslI.pdbSHA256 source: 6122.scr.exe, Adobe.exe.3.dr
Source:	Binary string: yslI.pdb source: 6122.scr.exe, Adobe.exe.3.dr

Data Obfuscation

Source: 6122.scr.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	.Net Code: nSC2GcWyVM System.Reflection.Assembly.Load(byte[])
Source: 0.2.6122.scr.exe.325e8c8.1.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.6122.scr.exe.5ae0000.7.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	.Net Code: nSC2GcWyVM System.Reflection.Assembly.Load(byte[])
Source: 0.2.6122.scr.exe.32a418c.2.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.6122.scr.exe.32ad7a4.3.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.6122.scr.exe.32552b0.0.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: Adobe.exe.3.dr, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 4.2.Adobe.exe.31d5288.0.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 4.2.Adobe.exe.322d71c.3.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 4.2.Adobe.exe.3224104.2.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: 6122.scr.exe

Static PE information: 0x9EE6543A [Wed Jun 24 06:22:50 2054 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\6122.scr.exe

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00457106 push ecx; ret	3_2_00457119
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0045B11A push esp; ret	3_2_0045B141
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0045E54D push esi; ret	3_2_0045E556
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00457A28 push eax; ret	3_2_00457A46
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00434E56 push ecx; ret	3_2_00434E69
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10002806 push ecx; ret	5_2_10002819
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044693D push ecx; ret	6_2_0044694D
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044DB70 push eax; ret	6_2_0044DB84
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0044DB70 push eax; ret	6_2_0044DBAC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_00451D54 push eax; ret	6_2_00451D61
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0044B090 push eax; ret	7_2_0044B0A4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0044B090 push eax; ret	7_2_0044B0CC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00451D34 push eax; ret	7_2_00451D41
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00444E71 push ecx; ret	7_2_00444E81
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00414060 push eax; ret	8_2_00414074
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00414060 push eax; ret	8_2_0041409C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00414039 push ecx; ret	8_2_00414049
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004164EB push 0000006Ah; retf	8_2_004165C4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00416553 push 0000006Ah; retf	8_2_004165C4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00416555 push 0000006Ah; retf	8_2_004165C4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_0155EF82 push eax; iretd	9_2_0155EF89
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 12_2_02EDEF82 push eax; iretd	12_2_02EDEF89
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 14_2_06B90006 push es; ret	14_2_06B9001C

Source: 6122.scr.exe	Static PE information: section name: .text entropy: 7.920388843552256
Source: Adobe.exe.3.dr	Static PE information: section name: .text entropy: 7.920388843552256

Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, oUXl38Qon5Z7tsM4nR.cs	High entropy of concatenated method names: 'HDvcsxy13C', 'uYjcLx7Zqx', 'hm9c2UO6Z5', 'r6Mcv3OEd6', 'oLtcua5NXD', 'RUZcjckD7r', 'agicoJs5mV', 'vowitx9Gpw', 'v1Pi6CSUOT', 'H06ifQmQMH'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	High entropy of concatenated method names: 'eSPLTIkfeD', 'D33Lv7lihn', 'cKoLu3JTDO', 'k6YLVnbh2R', 'PCXLjxnUtp', 'ew5LoTpegF', 'FmtLCGHRUw', 'oFcLW2Gywt', 'TQ3L8A86nn', 'PO2LA1bGVy'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, MMRRymsLRW3q82QOYGu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c6mb1lWoat', 'dZrbOiomQS', 'C1VbBGZEd4', 'miAbk24uIe', 'S0VbNies1F', 'chdbYk72K8', 'RgMbtAi8nP'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, YejYQrk0TLI7mPPhDK.cs	High entropy of concatenated method names: 'FCSPAn28sT', 'jIVPy2RdWp', 'ToString', 'cFAPvvXcTw', 'aRkPuyfnvq', 'QNPPVnyA4P', 'fh9PjK3NuF', 'Y24PomorpU', 'c8kPCTRSUh', 'htrPWWoemB'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, oEobZI1envoIa4Slio.cs	High entropy of concatenated method names: 'hukMSxGTXM', 'G49M9VmlOA', 'kP0M1YyDEp', 'PAZMOIi7f5', 'VUaMUIaert', 'QFtMxvVRYF', 'tu7MDcOBDL', 'S7WMlh2Uyi', 'x0DMEy9cOD', 'm8JMHkFyIi'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, vM77OVB0h5ZGs4LVvp.cs	High entropy of concatenated method names: 'ToString', 'XXVRmu5uGC', 'zx1RUhPoWJ', 'J4DRxCwv8D', 'HIIRDr3k6D', 'iYyRlQlviT', 'DfWRETM1QA', 'g31RHg2APk', 'lyqRFsIOtp', 'RhfRehAZov'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, fU8tOTH00QywT4N2NP.cs	High entropy of concatenated method names: 'En7CvMuLVT', 'sa4CVw5ixI', 'mgaCopdMcp', 'qSboQLnP3L', 'oVjozkmClU', 'A4PCw4bJrO', 'PnTCs5hyeJ', 'wbdCh0opnI', 'q9GCLx9MaX', 'pNxC22qvpg'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, WGlAZZKGAXV6pDSItG.cs	High entropy of concatenated method names: 'KECV01pRxA', 'yt7V7ot9dB', 'pJDVISwETY', 'bLGVKaW2cm', 'yoYVM6EDtn', 'TO9VRxJmh5', 'HmrVPVkqKw', 'KJXViYYJkq', 'hlIVcfifjw', 'nmaVbIVgKb'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, bDbkxKgtfhD1VVvXIL.cs	High entropy of concatenated method names: 'pQloTQyQaL', 'nA5ouCki8G', 'F6Ooj34PK0', 'UIkoCuDLqm', 'c8noW63dKi', 'eC9jNW5dIP', 'DjFjYg4dqs', 'KTkjt5fAln', 'ufEj6HY3ff', 'WHWjf1ZcMk'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, BRqveBeSRUwbIX859D.cs	High entropy of concatenated method names: 'p2mCqpFCPn', 'GxhCaKsNJA', 'YsgCGTHgfT', 'sdrC0KVIcb', 'qNwCXhqVh2', 'z6AC73mO5R', 'Dd9C5l30hU', 'jSBCILHUuY', 'weWCKlou8x', 'ObDCrlEc9C'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, s1JCvvuEraKO4aO8c1.cs	High entropy of concatenated method names: 'Dispose', 'fdOsfk1qEl', 'bjphU7jAf5', 'AtPYY8CAsf', 'qYSsQJd1vU', 'biVszO0WRS', 'ProcessDialogKey', 'xtFhw94Fda', 'HDthsLSt5Y', 'w6whhMUXl3'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, M94FdafxDtLSt5Y46w.cs	High entropy of concatenated method names: 'keqigx41oc', 'XhtiUJKLwb', 'BcpixN9W6f', 'kIViDJGOZo', 'ubhi13R5Ji', 'AHYiliTA72', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, SKXiGDrAfbiCHdSK3S.cs	High entropy of concatenated method names: 'aQejXQRAyk', 'zMQj5aRlSw', 'S0kVxnXbiU', 'OKoVD5oDUM', 'o05VlNXlj3', 'cL1VEXVdrx', 'rWkVHOJHNL', 'V4wVF9EBCh', 'iE8VeYuJJJ', 'XJsVSAIePt'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, YmnKt3swn5cFxyQhobJ.cs	High entropy of concatenated method names: 'H89cqngEQf', 'mlWcadK5Y6', 'mBFcG25isD', 'Gmvc00dqgD', 'gaocXlOKfj', 'wEYc7U3gpq', 'udLc5DPouo', 'j2TcIufgk5', 'MEgcKoU7gA', 'zO7cr9pGa3'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, qTxWgB33udNUpZMyHq.cs	High entropy of concatenated method names: 'd79pIS5W9a', 'xZBpKi0YDv', 'vERpgMJwo8', 'ouWpU4dx4U', 'zUBpDE76t4', 'NaxpliSCDw', 'LZdpHZT9N6', 'xwXpFk6aTu', 'QjdpSySOWr', 'qkOpmxKRvL'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, VSJd1v6UsiVO0WRSZt.cs	High entropy of concatenated method names: 'w2Kiv2isUi', 'AQNiukQSeO', 'yeOiVohAQ4', 'kb0ijiiSpT', 'Eskio3JAE0', 'eVPiCBt5ZR', 'ig4iWSOuee', 'vN9i88maxh', 'KMYiADA7wC', 'wOViyy85Tt'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, lmin8QhhIQq4ovY4Tc.cs	High entropy of concatenated method names: 'xvoGtBDNZ', 'UZo0APtET', 'JXl7TZZL9', 'HvT5lhTfv', 'w41KkBBV6', 'JhGrcqeha', 'MK7d1pC7PU0Cla9Ckv', 'O9eoWmpHRR5hJAN49G', 'T8OigULDp', 'VgZb3YDe9'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, d3UmV22nuMAGQR9kgB.cs	High entropy of concatenated method names: 'CNAsCMlitt', 'UpssWxqyHR', 'xGAsAXV6pD', 'NItsyGOKXi', 'uSKsM3ShDb', 'TxKsRtfhD1', 'FWt3APEdFEO7YKsLsg', 'ORyPgb3ecawqpWNOT5', 't1Rssd0O68', 'uSlsLFC7LK'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, cMxtSezGcjyLrA6GXP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C2Scpp5bpC', 'XbecMsJSWc', 'J5EcRYKie8', 'pXkcPKEGJZ', 'sX6ci8q33F', 'O4MccIB4mK', 'eKqcbMRZA3'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, lMlittINpsxqyHRioh.cs	High entropy of concatenated method names: 'cIpu1thYrm', 'jdNuO3lMgP', 'IlZuBlyHTs', 'n4RukX38MA', 'GrLuNa1oP4', 'UOSuY0NRDg', 'yjKut27e5u', 'dPRu6c1Ahr', 'dUZufDNsoB', 'FKiuQAjpbw'
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, Rre25hYWnTuqvUqFJf.cs	High entropy of concatenated method names: 'hsxP6eGYqm', 'hR3PQWay4U', 'Nf6iw75NSh', 'Ceqis2gimp', 'F5NPmAPZTV', 'Q8nP9RdXbL', 'bOdP3WcbBU', 'NJZP1Kokjg', 'hAxPOu8TLg', 'MGFPBgqSIx'
Source: 0.2.6122.scr.exe.325e8c8.1.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.6122.scr.exe.5ae0000.7.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, oUXl38Qon5Z7tsM4nR.cs	High entropy of concatenated method names: 'HDvcsxy13C', 'uYjcLx7Zqx', 'hm9c2UO6Z5', 'r6Mcv3OEd6', 'oLtcua5NXD', 'RUZcjckD7r', 'agicoJs5mV', 'vowitx9Gpw', 'v1Pi6CSUOT', 'H06ifQmQMH'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, OiEqwKWV3XP5MFdO7m.cs	High entropy of concatenated method names: 'eSPLTIkfeD', 'D33Lv7lihn', 'cKoLu3JTDO', 'k6YLVnbh2R', 'PCXLjxnUtp', 'ew5LoTpegF', 'FmtLCGHRUw', 'oFcLW2Gywt', 'TQ3L8A86nn', 'PO2LA1bGVy'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, MMRRymsLRW3q82QOYGu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c6mb1lWoat', 'dZrbOiomQS', 'C1VbBGZEd4', 'miAbk24uIe', 'S0VbNies1F', 'chdbYk72K8', 'RgMbtAi8nP'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, YejYQrk0TLI7mPPhDK.cs	High entropy of concatenated method names: 'FCSPAn28sT', 'jIVPy2RdWp', 'ToString', 'cFAPvvXcTw', 'aRkPuyfnvq', 'QNPPVnyA4P', 'fh9PjK3NuF', 'Y24PomorpU', 'c8kPCTRSUh', 'htrPWWoemB'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, oEobZI1envoIa4Slio.cs	High entropy of concatenated method names: 'hukMSxGTXM', 'G49M9VmlOA', 'kP0M1YyDEp', 'PAZMOIi7f5', 'VUaMUIaert', 'QFtMxvVRYF', 'tu7MDcOBDL', 'S7WMlh2Uyi', 'x0DMEy9cOD', 'm8JMHkFyIi'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, vM77OVB0h5ZGs4LVvp.cs	High entropy of concatenated method names: 'ToString', 'XXVRmu5uGC', 'zx1RUhPoWJ', 'J4DRxCwv8D', 'HIIRDr3k6D', 'iYyRlQlviT', 'DfWRETM1QA', 'g31RHg2APk', 'lyqRFsIOtp', 'RhfRehAZov'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, fU8tOTH00QywT4N2NP.cs	High entropy of concatenated method names: 'En7CvMuLVT', 'sa4CVw5ixI', 'mgaCopdMcp', 'qSboQLnP3L', 'oVjozkmClU', 'A4PCw4bJrO', 'PnTCs5hyeJ', 'wbdCh0opnI', 'q9GCLx9MaX', 'pNxC22qvpg'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, WGlAZZKGAXV6pDSItG.cs	High entropy of concatenated method names: 'KECV01pRxA', 'yt7V7ot9dB', 'pJDVISwETY', 'bLGVKaW2cm', 'yoYVM6EDtn', 'TO9VRxJmh5', 'HmrVPVkqKw', 'KJXViYYJkq', 'hlIVcfifjw', 'nmaVbIVgKb'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, bDbkxKgtfhD1VVvXIL.cs	High entropy of concatenated method names: 'pQloTQyQaL', 'nA5ouCki8G', 'F6Ooj34PK0', 'UIkoCuDLqm', 'c8noW63dKi', 'eC9jNW5dIP', 'DjFjYg4dqs', 'KTkjt5fAln', 'ufEj6HY3ff', 'WHWjf1ZcMk'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, BRqveBeSRUwbIX859D.cs	High entropy of concatenated method names: 'p2mCqpFCPn', 'GxhCaKsNJA', 'YsgCGTHgfT', 'sdrC0KVIcb', 'qNwCXhqVh2', 'z6AC73mO5R', 'Dd9C5l30hU', 'jSBCILHUuY', 'weWCKlou8x', 'ObDCrlEc9C'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, s1JCvvuEraKO4aO8c1.cs	High entropy of concatenated method names: 'Dispose', 'fdOsfk1qEl', 'bjphU7jAf5', 'AtPYY8CAsf', 'qYSsQJd1vU', 'biVszO0WRS', 'ProcessDialogKey', 'xtFhw94Fda', 'HDthsLSt5Y', 'w6whhMUXl3'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, M94FdafxDtLSt5Y46w.cs	High entropy of concatenated method names: 'keqigx41oc', 'XhtiUJKLwb', 'BcpixN9W6f', 'kIViDJGOZo', 'ubhi13R5Ji', 'AHYiliTA72', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, SKXiGDrAfbiCHdSK3S.cs	High entropy of concatenated method names: 'aQejXQRAyk', 'zMQj5aRlSw', 'S0kVxnXbiU', 'OKoVD5oDUM', 'o05VlNXlj3', 'cL1VEXVdrx', 'rWkVHOJHNL', 'V4wVF9EBCh', 'iE8VeYuJJJ', 'XJsVSAIePt'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, YmnKt3swn5cFxyQhobJ.cs	High entropy of concatenated method names: 'H89cqngEQf', 'mlWcadK5Y6', 'mBFcG25isD', 'Gmvc00dqgD', 'gaocXlOKfj', 'wEYc7U3gpq', 'udLc5DPouo', 'j2TcIufgk5', 'MEgcKoU7gA', 'zO7cr9pGa3'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, qTxWgB33udNUpZMyHq.cs	High entropy of concatenated method names: 'd79pIS5W9a', 'xZBpKi0YDv', 'vERpgMJwo8', 'ouWpU4dx4U', 'zUBpDE76t4', 'NaxpliSCDw', 'LZdpHZT9N6', 'xwXpFk6aTu', 'QjdpSySOWr', 'qkOpmxKRvL'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, VSJd1v6UsiVO0WRSZt.cs	High entropy of concatenated method names: 'w2Kiv2isUi', 'AQNiukQSeO', 'yeOiVohAQ4', 'kb0ijiiSpT', 'Eskio3JAE0', 'eVPiCBt5ZR', 'ig4iWSOuee', 'vN9i88maxh', 'KMYiADA7wC', 'wOViyy85Tt'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, lmin8QhhIQq4ovY4Tc.cs	High entropy of concatenated method names: 'xvoGtBDNZ', 'UZo0APtET', 'JXl7TZZL9', 'HvT5lhTfv', 'w41KkBBV6', 'JhGrcqeha', 'MK7d1pC7PU0Cla9Ckv', 'O9eoWmpHRR5hJAN49G', 'T8OigULDp', 'VgZb3YDe9'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, d3UmV22nuMAGQR9kgB.cs	High entropy of concatenated method names: 'CNAsCMlitt', 'UpssWxqyHR', 'xGAsAXV6pD', 'NItsyGOKXi', 'uSKsM3ShDb', 'TxKsRtfhD1', 'FWt3APEdFEO7YKsLsg', 'ORyPgb3ecawqpWNOT5', 't1Rssd0O68', 'uSlsLFC7LK'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, cMxtSezGcjyLrA6GXP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C2Scpp5bpC', 'XbecMsJSWc', 'J5EcRYKie8', 'pXkcPKEGJZ', 'sX6ci8q33F', 'O4MccIB4mK', 'eKqcbMRZA3'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, lMlittINpsxqyHRioh.cs	High entropy of concatenated method names: 'cIpu1thYrm', 'jdNuO3lMgP', 'IlZuBlyHTs', 'n4RukX38MA', 'GrLuNa1oP4', 'UOSuY0NRDg', 'yjKut27e5u', 'dPRu6c1Ahr', 'dUZufDNsoB', 'FKiuQAjpbw'
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, Rre25hYWnTuqvUqFJf.cs	High entropy of concatenated method names: 'hsxP6eGYqm', 'hR3PQWay4U', 'Nf6iw75NSh', 'Ceqis2gimp', 'F5NPmAPZTV', 'Q8nP9RdXbL', 'bOdP3WcbBU', 'NJZP1Kokjg', 'hAxPOu8TLg', 'MGFPBgqSIx'
Source: 0.2.6122.scr.exe.32a418c.2.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.6122.scr.exe.32ad7a4.3.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.6122.scr.exe.32552b0.0.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 4.2.Adobe.exe.31d5288.0.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 4.2.Adobe.exe.322d71c.3.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 4.2.Adobe.exe.3224104.2.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\6122.scr.exe

File written: C:\ProgramData\Adobe\Adobe.exe

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

3_2_00406EB0

Drops PE files

Source: C:\Users\user\Desktop\6122.scr.exe

File created: C:\ProgramData\Adobe\Adobe.exe

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\6122.scr.exe

File created: C:\ProgramData\Adobe\Adobe.exe

Creates autostart registry keys with suspicious names

Boot Survival

Source: C:\Users\user\Desktop\6122.scr.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\6122.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior

Source: C:\Users\user\Desktop\6122.scr.exe

Delayed program exit found

Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 4500, type: MEMORYSTR

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0040F7A7 Sleep,ExitProcess,

3_2_0040F7A7

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\6122.scr.exe	Memory allocated: 1770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Memory allocated: 3220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Memory allocated: 5220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Memory allocated: 8500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Memory allocated: 9500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Memory allocated: 96C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Memory allocated: A6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 1490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 51A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 7FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 8FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 9170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: A170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 1550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 3040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 7E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 8E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 9010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: A010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 7C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 8C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 8E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 9E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: ED0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2970000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2880000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 7710000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 8710000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 88C0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 98C0000 memory reserve \| memory write watch

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\ProgramData\Adobe\Adobe.exe

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

3_2_0041A748

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\6122.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 1219			Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 8769			Jump to behavior

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\6122.scr.exe	Evaded block: after key decision
Source: C:\Users\user\Desktop\6122.scr.exe	Evaded block: after key decision

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\6122.scr.exe	API coverage: 6.3 %
Source: C:\ProgramData\Adobe\Adobe.exe	API coverage: 9.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\6122.scr.exe TID: 6804	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 6604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2132	Thread sleep count: 1219 > 30	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2132	Thread sleep time: -3657000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2132	Thread sleep count: 8769 > 30	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 2132	Thread sleep time: -26307000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 5068	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_00409253
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_0041C291
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_0040C34D
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_00409665
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0044E879 FindFirstFileExA,	3_2_0044E879
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_0040880C
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040783C FindFirstFileW,FindNextFileW,	3_2_0040783C
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_00419AF5
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0040BB30
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0040BD37
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_100010F1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10006580 FindFirstFileExA,	5_2_10006580
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 6_2_0040AE51 FindFirstFileW,FindNextFileW,	6_2_0040AE51
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	7_2_00407EF8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	8_2_00407898

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 6_2_00418981 memset,GetSystemInfo,

6_2_00418981

Source: C:\Users\user\Desktop\6122.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477

Source: Adobe.exe, 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000005.00000002.4500521486.000000000132B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhv22E2.tmp.6.dr	Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US

Source: C:\ProgramData\Adobe\Adobe.exe

API call chain: ExitProcess graph end node

Source: C:\ProgramData\Adobe\Adobe.exe

Process information queried: ProcessInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_004349F9

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\ProgramData\Adobe\Adobe.exe

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\6122.scr.exe

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_004432B5 mov eax, dword ptr fs:[00000030h]		3_2_004432B5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10004AB4 mov eax, dword ptr fs:[00000030h]		5_2_10004AB4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_00412077 GetProcessHeap,HeapFree,

3_2_00412077

Enables debug privileges

Source: C:\ProgramData\Adobe\Adobe.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_004349F9
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00434B47 SetUnhandledExceptionFilter,	3_2_00434B47
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0043BB22
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: 3_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00434FDC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_100060E2
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_10002639
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_10002B1C

Source: C:\Users\user\Desktop\6122.scr.exe

Memory allocated: page read and write | page guard

Injects a PE file into a foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\ProgramData\Adobe\Adobe.exe

Memory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and write	Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

3_2_004120F7

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_00419627 mouse_event,

3_2_00419627

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\6122.scr.exe	Process created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\kdsjilcrslq"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\vxgujvmlgtiaot"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\xrlnjoxmubafqzncq"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"

Source: Adobe.exe, 00000005.00000002.4500276839.0000000001315000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerH
Source: Adobe.exe, 00000005.00000002.4500276839.0000000001315000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Adobe.exe, 00000005.00000002.4500276839.0000000001315000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerWH}
Source: Adobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_00434C52 cpuid

3_2_00434C52

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: EnumSystemLocalesW,	3_2_00452036
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_004520C3
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: GetLocaleInfoW,	3_2_00452313
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: EnumSystemLocalesW,	3_2_00448404
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0045243C
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: GetLocaleInfoW,	3_2_00452543
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00452610
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: GetLocaleInfoA,	3_2_0040F8D1
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: GetLocaleInfoW,	3_2_004488ED
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_00451CD8
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: EnumSystemLocalesW,	3_2_00451F50
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: EnumSystemLocalesW,	3_2_00451F9B

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\6122.scr.exe	Queries volume information: C:\Users\user\Desktop\6122.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0040B164 GetLocalTime,wsprintfW,

3_2_0040B164

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_0041B60D GetUserNameW,

3_2_0041B60D

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: 3_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

3_2_00449190

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 6_2_0041739B GetVersionExW,

6_2_0041739B

Source: C:\Users\user\Desktop\6122.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Contains functionality to steal Chrome passwords or cookies

Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2250791131.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2159549546.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2323206616.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2048067973.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 1784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 2220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 4476, type: MEMORYSTR

Source: C:\Users\user\Desktop\6122.scr.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

3_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\6122.scr.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		3_2_0040BB30
Source: C:\Users\user\Desktop\6122.scr.exe	Code function: \key3.db		3_2_0040BB30

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\ProgramData\Adobe\Adobe.exe	Code function: ESMTPPassword	7_2_004033F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	7_2_00402DB3
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	7_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match

File source: Process Memory Space: Adobe.exe PID: 6948, type: MEMORYSTR

Remote Access Functionality