Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
3_2_00409253 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
3_2_0041C291 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
3_2_0040C34D |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
3_2_00409665 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0044E879 FindFirstFileExA, |
3_2_0044E879 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
3_2_0040880C |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0040783C FindFirstFileW,FindNextFileW, |
3_2_0040783C |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, |
3_2_00419AF5 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
3_2_0040BB30 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
3_2_0040BD37 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 5_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
5_2_100010F1 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 5_2_10006580 FindFirstFileExA, |
5_2_10006580 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_0040AE51 FindFirstFileW,FindNextFileW, |
6_2_0040AE51 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, |
7_2_00407EF8 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 8_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, |
8_2_00407898 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.250.180.178 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0? |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0= |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0? |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~ |
Source: Adobe.exe, 00000005.00000002.4500521486.0000000001322000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/ |
Source: 6122.scr.exe, Adobe.exe, 00000005.00000002.4500276839.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp |
Source: Adobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp%r |
Source: 6122.scr.exe, 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, 6122.scr.exe, 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, 6122.scr.exe, 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: Adobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gptr$ |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://ocsp.digicert.com0: |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://ocsp.digicert.com0H |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://ocsp.digicert.com0I |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://ocsp.msocsp.com0 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://ocsp.msocsp.com0S |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://ocspx.digicert.com0E |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://www.digicert.com/CPS0~ |
Source: Adobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.ebuddy.com |
Source: Adobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.com |
Source: Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com |
Source: Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comr |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750 |
Source: Adobe.exe, 00000006.00000002.2131344664.0000000000CF4000.00000004.00000010.00020000.00000000.sdmp |
String found in binary or memory: http://www.nirsoft.net |
Source: Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.nirsoft.net/ |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com: |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live |
Source: Adobe.exe |
String found in binary or memory: https://login.yahoo.com/config/login |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://maps.windows.com/windows-app-web-link |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2 |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2 |
Source: Adobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: Adobe.exe |
String found in binary or memory: https://www.google.com/accounts/servicelogin |
Source: bhv22E2.tmp.6.dr |
String found in binary or memory: https://www.office.com/ |
Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 0_2_017C4B01 |
0_2_017C4B01 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 0_2_017CDE4C |
0_2_017CDE4C |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 0_2_078F2E20 |
0_2_078F2E20 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0043E0CC |
3_2_0043E0CC |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0041F0FA |
3_2_0041F0FA |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00454159 |
3_2_00454159 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00438168 |
3_2_00438168 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_004461F0 |
3_2_004461F0 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0043E2FB |
3_2_0043E2FB |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0045332B |
3_2_0045332B |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0042739D |
3_2_0042739D |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_004374E6 |
3_2_004374E6 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0043E558 |
3_2_0043E558 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00438770 |
3_2_00438770 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_004378FE |
3_2_004378FE |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00433946 |
3_2_00433946 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0044D9C9 |
3_2_0044D9C9 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00427A46 |
3_2_00427A46 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0041DB62 |
3_2_0041DB62 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00427BAF |
3_2_00427BAF |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00437D33 |
3_2_00437D33 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00435E5E |
3_2_00435E5E |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00426E0E |
3_2_00426E0E |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0043DE9D |
3_2_0043DE9D |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00413FCA |
3_2_00413FCA |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00436FEA |
3_2_00436FEA |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 4_2_0149DE4C |
4_2_0149DE4C |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 4_2_079F2E20 |
4_2_079F2E20 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 5_2_10017194 |
5_2_10017194 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 5_2_1000B5C1 |
5_2_1000B5C1 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_0044B040 |
6_2_0044B040 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_0043610D |
6_2_0043610D |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_00447310 |
6_2_00447310 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_0044A490 |
6_2_0044A490 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_0040755A |
6_2_0040755A |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_0043C560 |
6_2_0043C560 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_0044B610 |
6_2_0044B610 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_0044D6C0 |
6_2_0044D6C0 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_004476F0 |
6_2_004476F0 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_0044B870 |
6_2_0044B870 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_0044081D |
6_2_0044081D |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_00414957 |
6_2_00414957 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_004079EE |
6_2_004079EE |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_00407AEB |
6_2_00407AEB |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_0044AA80 |
6_2_0044AA80 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_00412AA9 |
6_2_00412AA9 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_00404B74 |
6_2_00404B74 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_00404B03 |
6_2_00404B03 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_0044BBD8 |
6_2_0044BBD8 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_00404BE5 |
6_2_00404BE5 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_00404C76 |
6_2_00404C76 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_00415CFE |
6_2_00415CFE |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_00416D72 |
6_2_00416D72 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_00446D30 |
6_2_00446D30 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_00446D8B |
6_2_00446D8B |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_00406E8F |
6_2_00406E8F |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_00405038 |
7_2_00405038 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_0041208C |
7_2_0041208C |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_004050A9 |
7_2_004050A9 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_0040511A |
7_2_0040511A |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_0043C13A |
7_2_0043C13A |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_004051AB |
7_2_004051AB |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_00449300 |
7_2_00449300 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_0040D322 |
7_2_0040D322 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_0044A4F0 |
7_2_0044A4F0 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_0043A5AB |
7_2_0043A5AB |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_00413631 |
7_2_00413631 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_00446690 |
7_2_00446690 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_0044A730 |
7_2_0044A730 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_004398D8 |
7_2_004398D8 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_004498E0 |
7_2_004498E0 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_0044A886 |
7_2_0044A886 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_0043DA09 |
7_2_0043DA09 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_00438D5E |
7_2_00438D5E |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_00449ED0 |
7_2_00449ED0 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_0041FE83 |
7_2_0041FE83 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_00430F54 |
7_2_00430F54 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 8_2_004050C2 |
8_2_004050C2 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 8_2_004014AB |
8_2_004014AB |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 8_2_00405133 |
8_2_00405133 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 8_2_004051A4 |
8_2_004051A4 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 8_2_00401246 |
8_2_00401246 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 8_2_0040CA46 |
8_2_0040CA46 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 8_2_00405235 |
8_2_00405235 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 8_2_004032C8 |
8_2_004032C8 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 8_2_00401689 |
8_2_00401689 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 8_2_00402F60 |
8_2_00402F60 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 9_2_0155DE4C |
9_2_0155DE4C |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 9_2_05577368 |
9_2_05577368 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 9_2_05570040 |
9_2_05570040 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 9_2_05570006 |
9_2_05570006 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 9_2_05577358 |
9_2_05577358 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 9_2_074F2E20 |
9_2_074F2E20 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 12_2_02EDDE4C |
12_2_02EDDE4C |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 12_2_059383C8 |
12_2_059383C8 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 12_2_059337BF |
12_2_059337BF |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 12_2_059337F8 |
12_2_059337F8 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 12_2_0593E740 |
12_2_0593E740 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 12_2_0593C668 |
12_2_0593C668 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 12_2_0593C230 |
12_2_0593C230 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 12_2_0593C220 |
12_2_0593C220 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 12_2_0593BDC0 |
12_2_0593BDC0 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 12_2_0593CA8F |
12_2_0593CA8F |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 12_2_0593CAA0 |
12_2_0593CAA0 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 12_2_07272E20 |
12_2_07272E20 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 14_2_00F1DE4C |
14_2_00F1DE4C |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 14_2_06B92E20 |
14_2_06B92E20 |
Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: dwrite.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: rstrtmgr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: dwrite.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: rstrtmgr.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: pstorec.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: vaultcli.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: pstorec.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: dwrite.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: rstrtmgr.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: dwrite.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: winmm.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: urlmon.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: wininet.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: iertutil.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: srvcli.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: netutils.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: rstrtmgr.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: ncrypt.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: ntasn1.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: mscoree.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: version.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: vcruntime140_clr0400.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: uxtheme.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: windows.storage.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: wldp.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: profapi.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: cryptsp.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: rsaenh.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: cryptbase.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: dwrite.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: windowscodecs.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: amsi.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: userenv.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: msasn1.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: gpapi.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: winmm.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: urlmon.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: wininet.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: iertutil.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: srvcli.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: netutils.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: rstrtmgr.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: ncrypt.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: ntasn1.dll |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Section loaded: kernel.appcore.dll |
|
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, oUXl38Qon5Z7tsM4nR.cs |
High entropy of concatenated method names: 'HDvcsxy13C', 'uYjcLx7Zqx', 'hm9c2UO6Z5', 'r6Mcv3OEd6', 'oLtcua5NXD', 'RUZcjckD7r', 'agicoJs5mV', 'vowitx9Gpw', 'v1Pi6CSUOT', 'H06ifQmQMH' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, OiEqwKWV3XP5MFdO7m.cs |
High entropy of concatenated method names: 'eSPLTIkfeD', 'D33Lv7lihn', 'cKoLu3JTDO', 'k6YLVnbh2R', 'PCXLjxnUtp', 'ew5LoTpegF', 'FmtLCGHRUw', 'oFcLW2Gywt', 'TQ3L8A86nn', 'PO2LA1bGVy' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, MMRRymsLRW3q82QOYGu.cs |
High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c6mb1lWoat', 'dZrbOiomQS', 'C1VbBGZEd4', 'miAbk24uIe', 'S0VbNies1F', 'chdbYk72K8', 'RgMbtAi8nP' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, YejYQrk0TLI7mPPhDK.cs |
High entropy of concatenated method names: 'FCSPAn28sT', 'jIVPy2RdWp', 'ToString', 'cFAPvvXcTw', 'aRkPuyfnvq', 'QNPPVnyA4P', 'fh9PjK3NuF', 'Y24PomorpU', 'c8kPCTRSUh', 'htrPWWoemB' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, oEobZI1envoIa4Slio.cs |
High entropy of concatenated method names: 'hukMSxGTXM', 'G49M9VmlOA', 'kP0M1YyDEp', 'PAZMOIi7f5', 'VUaMUIaert', 'QFtMxvVRYF', 'tu7MDcOBDL', 'S7WMlh2Uyi', 'x0DMEy9cOD', 'm8JMHkFyIi' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, vM77OVB0h5ZGs4LVvp.cs |
High entropy of concatenated method names: 'ToString', 'XXVRmu5uGC', 'zx1RUhPoWJ', 'J4DRxCwv8D', 'HIIRDr3k6D', 'iYyRlQlviT', 'DfWRETM1QA', 'g31RHg2APk', 'lyqRFsIOtp', 'RhfRehAZov' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, fU8tOTH00QywT4N2NP.cs |
High entropy of concatenated method names: 'En7CvMuLVT', 'sa4CVw5ixI', 'mgaCopdMcp', 'qSboQLnP3L', 'oVjozkmClU', 'A4PCw4bJrO', 'PnTCs5hyeJ', 'wbdCh0opnI', 'q9GCLx9MaX', 'pNxC22qvpg' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, WGlAZZKGAXV6pDSItG.cs |
High entropy of concatenated method names: 'KECV01pRxA', 'yt7V7ot9dB', 'pJDVISwETY', 'bLGVKaW2cm', 'yoYVM6EDtn', 'TO9VRxJmh5', 'HmrVPVkqKw', 'KJXViYYJkq', 'hlIVcfifjw', 'nmaVbIVgKb' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, bDbkxKgtfhD1VVvXIL.cs |
High entropy of concatenated method names: 'pQloTQyQaL', 'nA5ouCki8G', 'F6Ooj34PK0', 'UIkoCuDLqm', 'c8noW63dKi', 'eC9jNW5dIP', 'DjFjYg4dqs', 'KTkjt5fAln', 'ufEj6HY3ff', 'WHWjf1ZcMk' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, BRqveBeSRUwbIX859D.cs |
High entropy of concatenated method names: 'p2mCqpFCPn', 'GxhCaKsNJA', 'YsgCGTHgfT', 'sdrC0KVIcb', 'qNwCXhqVh2', 'z6AC73mO5R', 'Dd9C5l30hU', 'jSBCILHUuY', 'weWCKlou8x', 'ObDCrlEc9C' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, s1JCvvuEraKO4aO8c1.cs |
High entropy of concatenated method names: 'Dispose', 'fdOsfk1qEl', 'bjphU7jAf5', 'AtPYY8CAsf', 'qYSsQJd1vU', 'biVszO0WRS', 'ProcessDialogKey', 'xtFhw94Fda', 'HDthsLSt5Y', 'w6whhMUXl3' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, M94FdafxDtLSt5Y46w.cs |
High entropy of concatenated method names: 'keqigx41oc', 'XhtiUJKLwb', 'BcpixN9W6f', 'kIViDJGOZo', 'ubhi13R5Ji', 'AHYiliTA72', 'Next', 'Next', 'Next', 'NextBytes' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, SKXiGDrAfbiCHdSK3S.cs |
High entropy of concatenated method names: 'aQejXQRAyk', 'zMQj5aRlSw', 'S0kVxnXbiU', 'OKoVD5oDUM', 'o05VlNXlj3', 'cL1VEXVdrx', 'rWkVHOJHNL', 'V4wVF9EBCh', 'iE8VeYuJJJ', 'XJsVSAIePt' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, YmnKt3swn5cFxyQhobJ.cs |
High entropy of concatenated method names: 'H89cqngEQf', 'mlWcadK5Y6', 'mBFcG25isD', 'Gmvc00dqgD', 'gaocXlOKfj', 'wEYc7U3gpq', 'udLc5DPouo', 'j2TcIufgk5', 'MEgcKoU7gA', 'zO7cr9pGa3' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, qTxWgB33udNUpZMyHq.cs |
High entropy of concatenated method names: 'd79pIS5W9a', 'xZBpKi0YDv', 'vERpgMJwo8', 'ouWpU4dx4U', 'zUBpDE76t4', 'NaxpliSCDw', 'LZdpHZT9N6', 'xwXpFk6aTu', 'QjdpSySOWr', 'qkOpmxKRvL' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, VSJd1v6UsiVO0WRSZt.cs |
High entropy of concatenated method names: 'w2Kiv2isUi', 'AQNiukQSeO', 'yeOiVohAQ4', 'kb0ijiiSpT', 'Eskio3JAE0', 'eVPiCBt5ZR', 'ig4iWSOuee', 'vN9i88maxh', 'KMYiADA7wC', 'wOViyy85Tt' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, lmin8QhhIQq4ovY4Tc.cs |
High entropy of concatenated method names: 'xvoGtBDNZ', 'UZo0APtET', 'JXl7TZZL9', 'HvT5lhTfv', 'w41KkBBV6', 'JhGrcqeha', 'MK7d1pC7PU0Cla9Ckv', 'O9eoWmpHRR5hJAN49G', 'T8OigULDp', 'VgZb3YDe9' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, d3UmV22nuMAGQR9kgB.cs |
High entropy of concatenated method names: 'CNAsCMlitt', 'UpssWxqyHR', 'xGAsAXV6pD', 'NItsyGOKXi', 'uSKsM3ShDb', 'TxKsRtfhD1', 'FWt3APEdFEO7YKsLsg', 'ORyPgb3ecawqpWNOT5', 't1Rssd0O68', 'uSlsLFC7LK' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, cMxtSezGcjyLrA6GXP.cs |
High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C2Scpp5bpC', 'XbecMsJSWc', 'J5EcRYKie8', 'pXkcPKEGJZ', 'sX6ci8q33F', 'O4MccIB4mK', 'eKqcbMRZA3' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, lMlittINpsxqyHRioh.cs |
High entropy of concatenated method names: 'cIpu1thYrm', 'jdNuO3lMgP', 'IlZuBlyHTs', 'n4RukX38MA', 'GrLuNa1oP4', 'UOSuY0NRDg', 'yjKut27e5u', 'dPRu6c1Ahr', 'dUZufDNsoB', 'FKiuQAjpbw' |
Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, Rre25hYWnTuqvUqFJf.cs |
High entropy of concatenated method names: 'hsxP6eGYqm', 'hR3PQWay4U', 'Nf6iw75NSh', 'Ceqis2gimp', 'F5NPmAPZTV', 'Q8nP9RdXbL', 'bOdP3WcbBU', 'NJZP1Kokjg', 'hAxPOu8TLg', 'MGFPBgqSIx' |
Source: 0.2.6122.scr.exe.325e8c8.1.raw.unpack, JK.cs |
High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq' |
Source: 0.2.6122.scr.exe.5ae0000.7.raw.unpack, JK.cs |
High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, oUXl38Qon5Z7tsM4nR.cs |
High entropy of concatenated method names: 'HDvcsxy13C', 'uYjcLx7Zqx', 'hm9c2UO6Z5', 'r6Mcv3OEd6', 'oLtcua5NXD', 'RUZcjckD7r', 'agicoJs5mV', 'vowitx9Gpw', 'v1Pi6CSUOT', 'H06ifQmQMH' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, OiEqwKWV3XP5MFdO7m.cs |
High entropy of concatenated method names: 'eSPLTIkfeD', 'D33Lv7lihn', 'cKoLu3JTDO', 'k6YLVnbh2R', 'PCXLjxnUtp', 'ew5LoTpegF', 'FmtLCGHRUw', 'oFcLW2Gywt', 'TQ3L8A86nn', 'PO2LA1bGVy' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, MMRRymsLRW3q82QOYGu.cs |
High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c6mb1lWoat', 'dZrbOiomQS', 'C1VbBGZEd4', 'miAbk24uIe', 'S0VbNies1F', 'chdbYk72K8', 'RgMbtAi8nP' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, YejYQrk0TLI7mPPhDK.cs |
High entropy of concatenated method names: 'FCSPAn28sT', 'jIVPy2RdWp', 'ToString', 'cFAPvvXcTw', 'aRkPuyfnvq', 'QNPPVnyA4P', 'fh9PjK3NuF', 'Y24PomorpU', 'c8kPCTRSUh', 'htrPWWoemB' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, oEobZI1envoIa4Slio.cs |
High entropy of concatenated method names: 'hukMSxGTXM', 'G49M9VmlOA', 'kP0M1YyDEp', 'PAZMOIi7f5', 'VUaMUIaert', 'QFtMxvVRYF', 'tu7MDcOBDL', 'S7WMlh2Uyi', 'x0DMEy9cOD', 'm8JMHkFyIi' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, vM77OVB0h5ZGs4LVvp.cs |
High entropy of concatenated method names: 'ToString', 'XXVRmu5uGC', 'zx1RUhPoWJ', 'J4DRxCwv8D', 'HIIRDr3k6D', 'iYyRlQlviT', 'DfWRETM1QA', 'g31RHg2APk', 'lyqRFsIOtp', 'RhfRehAZov' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, fU8tOTH00QywT4N2NP.cs |
High entropy of concatenated method names: 'En7CvMuLVT', 'sa4CVw5ixI', 'mgaCopdMcp', 'qSboQLnP3L', 'oVjozkmClU', 'A4PCw4bJrO', 'PnTCs5hyeJ', 'wbdCh0opnI', 'q9GCLx9MaX', 'pNxC22qvpg' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, WGlAZZKGAXV6pDSItG.cs |
High entropy of concatenated method names: 'KECV01pRxA', 'yt7V7ot9dB', 'pJDVISwETY', 'bLGVKaW2cm', 'yoYVM6EDtn', 'TO9VRxJmh5', 'HmrVPVkqKw', 'KJXViYYJkq', 'hlIVcfifjw', 'nmaVbIVgKb' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, bDbkxKgtfhD1VVvXIL.cs |
High entropy of concatenated method names: 'pQloTQyQaL', 'nA5ouCki8G', 'F6Ooj34PK0', 'UIkoCuDLqm', 'c8noW63dKi', 'eC9jNW5dIP', 'DjFjYg4dqs', 'KTkjt5fAln', 'ufEj6HY3ff', 'WHWjf1ZcMk' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, BRqveBeSRUwbIX859D.cs |
High entropy of concatenated method names: 'p2mCqpFCPn', 'GxhCaKsNJA', 'YsgCGTHgfT', 'sdrC0KVIcb', 'qNwCXhqVh2', 'z6AC73mO5R', 'Dd9C5l30hU', 'jSBCILHUuY', 'weWCKlou8x', 'ObDCrlEc9C' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, s1JCvvuEraKO4aO8c1.cs |
High entropy of concatenated method names: 'Dispose', 'fdOsfk1qEl', 'bjphU7jAf5', 'AtPYY8CAsf', 'qYSsQJd1vU', 'biVszO0WRS', 'ProcessDialogKey', 'xtFhw94Fda', 'HDthsLSt5Y', 'w6whhMUXl3' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, M94FdafxDtLSt5Y46w.cs |
High entropy of concatenated method names: 'keqigx41oc', 'XhtiUJKLwb', 'BcpixN9W6f', 'kIViDJGOZo', 'ubhi13R5Ji', 'AHYiliTA72', 'Next', 'Next', 'Next', 'NextBytes' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, SKXiGDrAfbiCHdSK3S.cs |
High entropy of concatenated method names: 'aQejXQRAyk', 'zMQj5aRlSw', 'S0kVxnXbiU', 'OKoVD5oDUM', 'o05VlNXlj3', 'cL1VEXVdrx', 'rWkVHOJHNL', 'V4wVF9EBCh', 'iE8VeYuJJJ', 'XJsVSAIePt' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, YmnKt3swn5cFxyQhobJ.cs |
High entropy of concatenated method names: 'H89cqngEQf', 'mlWcadK5Y6', 'mBFcG25isD', 'Gmvc00dqgD', 'gaocXlOKfj', 'wEYc7U3gpq', 'udLc5DPouo', 'j2TcIufgk5', 'MEgcKoU7gA', 'zO7cr9pGa3' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, qTxWgB33udNUpZMyHq.cs |
High entropy of concatenated method names: 'd79pIS5W9a', 'xZBpKi0YDv', 'vERpgMJwo8', 'ouWpU4dx4U', 'zUBpDE76t4', 'NaxpliSCDw', 'LZdpHZT9N6', 'xwXpFk6aTu', 'QjdpSySOWr', 'qkOpmxKRvL' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, VSJd1v6UsiVO0WRSZt.cs |
High entropy of concatenated method names: 'w2Kiv2isUi', 'AQNiukQSeO', 'yeOiVohAQ4', 'kb0ijiiSpT', 'Eskio3JAE0', 'eVPiCBt5ZR', 'ig4iWSOuee', 'vN9i88maxh', 'KMYiADA7wC', 'wOViyy85Tt' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, lmin8QhhIQq4ovY4Tc.cs |
High entropy of concatenated method names: 'xvoGtBDNZ', 'UZo0APtET', 'JXl7TZZL9', 'HvT5lhTfv', 'w41KkBBV6', 'JhGrcqeha', 'MK7d1pC7PU0Cla9Ckv', 'O9eoWmpHRR5hJAN49G', 'T8OigULDp', 'VgZb3YDe9' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, d3UmV22nuMAGQR9kgB.cs |
High entropy of concatenated method names: 'CNAsCMlitt', 'UpssWxqyHR', 'xGAsAXV6pD', 'NItsyGOKXi', 'uSKsM3ShDb', 'TxKsRtfhD1', 'FWt3APEdFEO7YKsLsg', 'ORyPgb3ecawqpWNOT5', 't1Rssd0O68', 'uSlsLFC7LK' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, cMxtSezGcjyLrA6GXP.cs |
High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C2Scpp5bpC', 'XbecMsJSWc', 'J5EcRYKie8', 'pXkcPKEGJZ', 'sX6ci8q33F', 'O4MccIB4mK', 'eKqcbMRZA3' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, lMlittINpsxqyHRioh.cs |
High entropy of concatenated method names: 'cIpu1thYrm', 'jdNuO3lMgP', 'IlZuBlyHTs', 'n4RukX38MA', 'GrLuNa1oP4', 'UOSuY0NRDg', 'yjKut27e5u', 'dPRu6c1Ahr', 'dUZufDNsoB', 'FKiuQAjpbw' |
Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, Rre25hYWnTuqvUqFJf.cs |
High entropy of concatenated method names: 'hsxP6eGYqm', 'hR3PQWay4U', 'Nf6iw75NSh', 'Ceqis2gimp', 'F5NPmAPZTV', 'Q8nP9RdXbL', 'bOdP3WcbBU', 'NJZP1Kokjg', 'hAxPOu8TLg', 'MGFPBgqSIx' |
Source: 0.2.6122.scr.exe.32a418c.2.raw.unpack, JK.cs |
High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq' |
Source: 0.2.6122.scr.exe.32ad7a4.3.raw.unpack, JK.cs |
High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq' |
Source: 0.2.6122.scr.exe.32552b0.0.raw.unpack, JK.cs |
High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq' |
Source: 4.2.Adobe.exe.31d5288.0.raw.unpack, JK.cs |
High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq' |
Source: 4.2.Adobe.exe.322d71c.3.raw.unpack, JK.cs |
High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq' |
Source: 4.2.Adobe.exe.3224104.2.raw.unpack, JK.cs |
High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq' |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\Desktop\6122.scr.exe |
Memory allocated: 1770000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Memory allocated: 3220000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Memory allocated: 5220000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Memory allocated: 8500000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Memory allocated: 9500000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Memory allocated: 96C0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Memory allocated: A6C0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 1490000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 31A0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 51A0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 7FC0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 8FC0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 9170000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: A170000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 1550000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 3040000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 2E10000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 7E60000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 8E60000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 9010000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: A010000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 2CC0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 2F50000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 2CC0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 7C90000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 8C90000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 8E40000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 9E40000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: ED0000 memory reserve | memory write watch |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 2970000 memory reserve | memory write watch |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 2880000 memory reserve | memory write watch |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 7710000 memory reserve | memory write watch |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 8710000 memory reserve | memory write watch |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 88C0000 memory reserve | memory write watch |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Memory allocated: 98C0000 memory reserve | memory write watch |
|
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
3_2_00409253 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
3_2_0041C291 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
3_2_0040C34D |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
3_2_00409665 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0044E879 FindFirstFileExA, |
3_2_0044E879 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
3_2_0040880C |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0040783C FindFirstFileW,FindNextFileW, |
3_2_0040783C |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, |
3_2_00419AF5 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
3_2_0040BB30 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Code function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
3_2_0040BD37 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 5_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
5_2_100010F1 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 5_2_10006580 FindFirstFileExA, |
5_2_10006580 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 6_2_0040AE51 FindFirstFileW,FindNextFileW, |
6_2_0040AE51 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 7_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, |
7_2_00407EF8 |
Source: C:\ProgramData\Adobe\Adobe.exe |
Code function: 8_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, |
8_2_00407898 |
Source: C:\Users\user\Desktop\6122.scr.exe |
Queries volume information: C:\Users\user\Desktop\6122.scr.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6122.scr.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
|
Source: C:\ProgramData\Adobe\Adobe.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
|