Windows Analysis Report
rSOD219ISF-____.scr.exe

AI detected suspicious sample

Source: Yara match	File source: 2.2.rSOD219ISF-____.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rSOD219ISF-____.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1933496998.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1731258252.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2015515611.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1847433881.0000000001507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2041165688.0000000004671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4178218379.0000000001597000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1733891519.0000000003AE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rSOD219ISF-____.scr.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rSOD219ISF-____.scr.exe PID: 6756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 8000, type: MEMORYSTR

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\Adobe\Adobe.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: rSOD219ISF-____.scr.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

2_2_00433837

Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1733891519.0000000003AE2000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_a821c1d2-5

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 2.2.rSOD219ISF-____.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rSOD219ISF-____.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2041165688.0000000004671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1733891519.0000000003AE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rSOD219ISF-____.scr.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rSOD219ISF-____.scr.exe PID: 6756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7928, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_004074FD _wcslen,CoGetObject,

2_2_004074FD

Source: rSOD219ISF-____.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rSOD219ISF-____.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	2_2_00409253
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	2_2_0041C291
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	2_2_0040C34D
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	2_2_00409665
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	2_2_0040880C
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0040783C FindFirstFileW,FindNextFileW,	2_2_0040783C
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	2_2_00419AF5
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_0040BB30
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	2_2_0040BD37
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_100010F1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0040AE51 FindFirstFileW,FindNextFileW,	5_2_0040AE51
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	7_2_00407EF8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	8_2_00407898

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

2_2_00407C97

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49736 -> 104.250.180.178:7902
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49733 -> 104.250.180.178:7902

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.250.180.178

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 104.250.180.178:7902

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 104.250.180.178 104.250.180.178
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49737 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_0041B380

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Adobe.exe, 00000008.00000002.1822520343.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: Adobe.exe, Adobe.exe, 00000008.00000002.1822520343.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: Adobe.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: bhv96DB.tmp.5.dr	String found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv96DB.tmp.5.dr	String found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
Source: Adobe.exe, 00000005.00000002.1828960927.000000000103C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Adobe.exe, 00000005.00000002.1828960927.000000000103C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Adobe.exe, 00000005.00000002.1828149652.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: Adobe.exe, 00000005.00000002.1828149652.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: rSOD219ISF-____.scr.exe, Adobe.exe, 00000004.00000002.4178605857.00000000015F3000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000004.00000002.4178605857.00000000015D0000.00000004.00000020.00020000.00000000.sdmp, bhv96DB.tmp.5.dr	String found in binary or memory: http://geoplugin.net/json.gp
Source: Adobe.exe, 00000004.00000002.4178605857.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp.
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1733891519.0000000003AE2000.00000004.00000800.00020000.00000000.sdmp, rSOD219ISF-____.scr.exe, 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Adobe.exe, 00000011.00000002.2041165688.0000000004671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: Adobe.exe, 00000004.00000002.4178605857.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://ocsp.digicert.com0Q
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://ocspx.digicert.com0E
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1731455091.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, rSOD219ISF-____.scr.exe, 00000000.00000002.1731455091.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.1743546290.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.1743546290.0000000003274000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000009.00000002.1850620884.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000009.00000002.1850620884.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000E.00000002.1936073198.00000000032EB000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000E.00000002.1936073198.0000000003361000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000011.00000002.2020151696.000000000369B000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000011.00000002.2020151696.000000000370D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: Adobe.exe, Adobe.exe, 00000008.00000002.1822520343.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Adobe.exe, Adobe.exe, 00000008.00000002.1822520343.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: Adobe.exe, 00000008.00000002.1822520343.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: Adobe.exe, 00000008.00000002.1822520343.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: bhv96DB.tmp.5.dr	String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
Source: Adobe.exe, 00000005.00000002.1828485865.00000000007C4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: Adobe.exe, 00000008.00000002.1822520343.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: Adobe.exe, 00000005.00000002.1828960927.000000000103C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
Source: Adobe.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Adobe.exe, Adobe.exe, 00000008.00000002.1822520343.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Adobe.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv96DB.tmp.5.dr	String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

2_2_0040A2B8

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

2_2_0040B70E

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	2_2_004168C1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	5_2_0040987A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	5_2_004098E2
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	7_2_00406DFC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	7_2_00406E9F
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	8_2_004068B5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	8_2_004072B5

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

2_2_0040B70E

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

2_2_0040A3E0

E-Banking Fraud

Contains functionalty to change the wallpaper

Source: Yara match	File source: 2.2.rSOD219ISF-____.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rSOD219ISF-____.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1933496998.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1731258252.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2015515611.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1847433881.0000000001507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2041165688.0000000004671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4178218379.0000000001597000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1733891519.0000000003AE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rSOD219ISF-____.scr.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rSOD219ISF-____.scr.exe PID: 6756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 8000, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_0041C9E2 SystemParametersInfoW,

2_2_0041C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.rSOD219ISF-____.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.rSOD219ISF-____.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.rSOD219ISF-____.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.rSOD219ISF-____.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.rSOD219ISF-____.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.rSOD219ISF-____.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.2041165688.0000000004671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1733891519.0000000003AE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: rSOD219ISF-____.scr.exe PID: 432, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: rSOD219ISF-____.scr.exe PID: 6756, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Adobe.exe PID: 7928, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	5_2_0040DD85
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00401806 NtdllDefWindowProc_W,	5_2_00401806
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_004018C0 NtdllDefWindowProc_W,	5_2_004018C0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004016FD NtdllDefWindowProc_A,	7_2_004016FD
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004017B7 NtdllDefWindowProc_A,	7_2_004017B7
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00402CAC NtdllDefWindowProc_A,	8_2_00402CAC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00402D66 NtdllDefWindowProc_A,	8_2_00402D66

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

2_2_004167B4

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_05BF9E30	0_2_05BF9E30
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_05BF9880	0_2_05BF9880
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_05BF9870	0_2_05BF9870
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_0764DA30	0_2_0764DA30
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_07648BC0	0_2_07648BC0
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_07648BD0	0_2_07648BD0
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_076E7D30	0_2_076E7D30
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_076E2640	0_2_076E2640
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_076E2650	0_2_076E2650
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_076E4480	0_2_076E4480
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_076E4490	0_2_076E4490
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_076E2209	0_2_076E2209
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_076E2218	0_2_076E2218
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_076E1DE0	0_2_076E1DE0
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_076E1DD0	0_2_076E1DD0
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_076E19A8	0_2_076E19A8
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_076E19A7	0_2_076E19A7
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0043E0CC	2_2_0043E0CC
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0041F0FA	2_2_0041F0FA
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00454159	2_2_00454159
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00438168	2_2_00438168
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_004461F0	2_2_004461F0
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0043E2FB	2_2_0043E2FB
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0045332B	2_2_0045332B
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0042739D	2_2_0042739D
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_004374E6	2_2_004374E6
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0043E558	2_2_0043E558
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00438770	2_2_00438770
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_004378FE	2_2_004378FE
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00433946	2_2_00433946
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0044D9C9	2_2_0044D9C9
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00427A46	2_2_00427A46
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0041DB62	2_2_0041DB62
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00427BAF	2_2_00427BAF
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00437D33	2_2_00437D33
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00435E5E	2_2_00435E5E
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00426E0E	2_2_00426E0E
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0043DE9D	2_2_0043DE9D
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00413FCA	2_2_00413FCA
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00436FEA	2_2_00436FEA
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_05BCAFE0	3_2_05BCAFE0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_05BC4420	3_2_05BC4420
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_05BC4410	3_2_05BC4410
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_05BC3404	3_2_05BC3404
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_05BCAFB0	3_2_05BCAFB0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_063B9E30	3_2_063B9E30
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_063B987B	3_2_063B987B
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_063B9880	3_2_063B9880
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_079A8BD0	3_2_079A8BD0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_07CC7D20	3_2_07CC7D20
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_07CC2640	3_2_07CC2640
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_07CC2650	3_2_07CC2650
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_07CC4480	3_2_07CC4480
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_07CC4490	3_2_07CC4490
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_07CC2209	3_2_07CC2209
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_07CC2218	3_2_07CC2218
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_07CC1DD0	3_2_07CC1DD0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_07CC1DE0	3_2_07CC1DE0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_07CC19A8	3_2_07CC19A8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_07CC1972	3_2_07CC1972
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_10017194	4_2_10017194
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_1000B5C1	4_2_1000B5C1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044B040	5_2_0044B040
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0043610D	5_2_0043610D
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00447310	5_2_00447310
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044A490	5_2_0044A490
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0040755A	5_2_0040755A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0043C560	5_2_0043C560
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044B610	5_2_0044B610
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044D6C0	5_2_0044D6C0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_004476F0	5_2_004476F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044B870	5_2_0044B870
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044081D	5_2_0044081D
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00414957	5_2_00414957
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_004079EE	5_2_004079EE
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00407AEB	5_2_00407AEB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044AA80	5_2_0044AA80
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00412AA9	5_2_00412AA9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00404B74	5_2_00404B74
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00404B03	5_2_00404B03
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044BBD8	5_2_0044BBD8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00404BE5	5_2_00404BE5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00404C76	5_2_00404C76
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00415CFE	5_2_00415CFE
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00416D72	5_2_00416D72
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00446D30	5_2_00446D30
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00446D8B	5_2_00446D8B
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00406E8F	5_2_00406E8F
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00405038	7_2_00405038
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0041208C	7_2_0041208C
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004050A9	7_2_004050A9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0040511A	7_2_0040511A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0043C13A	7_2_0043C13A
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004051AB	7_2_004051AB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00449300	7_2_00449300
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0040D322	7_2_0040D322
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0044A4F0	7_2_0044A4F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0043A5AB	7_2_0043A5AB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00413631	7_2_00413631
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00446690	7_2_00446690
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0044A730	7_2_0044A730
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004398D8	7_2_004398D8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_004498E0	7_2_004498E0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0044A886	7_2_0044A886
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0043DA09	7_2_0043DA09
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00438D5E	7_2_00438D5E
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00449ED0	7_2_00449ED0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0041FE83	7_2_0041FE83
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00430F54	7_2_00430F54
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004050C2	8_2_004050C2
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004014AB	8_2_004014AB
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00405133	8_2_00405133
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004051A4	8_2_004051A4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00401246	8_2_00401246
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_0040CA46	8_2_0040CA46
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00405235	8_2_00405235
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_004032C8	8_2_004032C8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00401689	8_2_00401689
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00402F60	8_2_00402F60
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_05C6AFE0	9_2_05C6AFE0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_05C63404	9_2_05C63404
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_05C64420	9_2_05C64420
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_05C6AFB0	9_2_05C6AFB0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_05CA9E30	9_2_05CA9E30
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_05CA9880	9_2_05CA9880
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_05CA9870	9_2_05CA9870
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_0735EF10	9_2_0735EF10
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_07358BD0	9_2_07358BD0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_07358BCF	9_2_07358BCF
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_0735F972	9_2_0735F972
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_073F7D20	9_2_073F7D20
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_073F2650	9_2_073F2650
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_073F2640	9_2_073F2640
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_073F4490	9_2_073F4490
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_073F4480	9_2_073F4480
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_073F2218	9_2_073F2218
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_073F2209	9_2_073F2209
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_073F1DE0	9_2_073F1DE0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_073F1DD0	9_2_073F1DD0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_073F19A8	9_2_073F19A8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 9_2_073F19A7	9_2_073F19A7

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: String function: 00401E65 appears 34 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 004165FF appears 35 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00422297 appears 42 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00413025 appears 79 times
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: String function: 00416760 appears 69 times

Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1729397980.000000000092E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rSOD219ISF-____.scr.exe
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1733891519.0000000003AE2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs rSOD219ISF-____.scr.exe
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1738111076.0000000007ED0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs rSOD219ISF-____.scr.exe
Source: rSOD219ISF-____.scr.exe, 00000000.00000002.1731455091.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs rSOD219ISF-____.scr.exe
Source: rSOD219ISF-____.scr.exe	Binary or memory string: OriginalFilenameoge.exe@ vs rSOD219ISF-____.scr.exe

Source: rSOD219ISF-____.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.rSOD219ISF-____.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.rSOD219ISF-____.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.rSOD219ISF-____.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.rSOD219ISF-____.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.rSOD219ISF-____.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.rSOD219ISF-____.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.2041165688.0000000004671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1733891519.0000000003AE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: rSOD219ISF-____.scr.exe PID: 432, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: rSOD219ISF-____.scr.exe PID: 6756, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Adobe.exe PID: 7928, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: rSOD219ISF-____.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Adobe.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, uZfm3RlU1hd6OEUdJL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, uZfm3RlU1hd6OEUdJL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, uThHoRE84EF1gITyGd.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, uThHoRE84EF1gITyGd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, uThHoRE84EF1gITyGd.cs	Security API names: _0020.AddAccessRule
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, uThHoRE84EF1gITyGd.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, uThHoRE84EF1gITyGd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, uThHoRE84EF1gITyGd.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@26/7@1/2

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 5_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

5_2_004182CE

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		2_2_00417952
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,		8_2_00410DE1

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 5_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

5_2_00418758

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

2_2_0040F474

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

2_2_0041B4A8

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_0041AA4A

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rSOD219ISF-____.scr.exe.log

Source: C:\ProgramData\Adobe\Adobe.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe-OTOIRK
Source: C:\ProgramData\Adobe\Adobe.exe	Mutant created: NULL
Source: C:\ProgramData\Adobe\Adobe.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: C:\ProgramData\Adobe\Adobe.exe

File created: C:\Users\user\AppData\Local\Temp\bhv96DB.tmp

Source: rSOD219ISF-____.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: rSOD219ISF-____.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\ProgramData\Adobe\Adobe.exe

System information queried: HandleInformation

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Adobe.exe, Adobe.exe, 00000005.00000002.1828149652.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Adobe.exe, Adobe.exe, 00000007.00000002.1822288377.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Adobe.exe, 00000005.00000002.1828149652.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Adobe.exe, Adobe.exe, 00000005.00000002.1828149652.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Adobe.exe, Adobe.exe, 00000005.00000002.1828149652.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Adobe.exe, Adobe.exe, 00000005.00000002.1828149652.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Adobe.exe, 00000005.00000002.1829071272.000000000280F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Adobe.exe, Adobe.exe, 00000005.00000002.1828149652.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: rSOD219ISF-____.scr.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

File read: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe:Zone.Identifier

Source: C:\ProgramData\Adobe\Adobe.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe "C:\Users\user\Desktop\rSOD219ISF-____.scr.exe"
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process created: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe "C:\Users\user\Desktop\rSOD219ISF-____.scr.exe"
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\trjggazotdeaznpdaliydbqndn"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\dtpyhskqhlwfkbdpjwuzggcwmubqst"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\dtpyhskqhlwfkbdpjwuzggcwmubqst"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\onurakujvtpjmhztaghtrsxnnatrlexmp"
Source: unknown	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: unknown	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: unknown	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process created: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe "C:\Users\user\Desktop\rSOD219ISF-____.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\trjggazotdeaznpdaliydbqndn"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\dtpyhskqhlwfkbdpjwuzggcwmubqst"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\dtpyhskqhlwfkbdpjwuzggcwmubqst"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\onurakujvtpjmhztaghtrsxnnatrlexmp"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: propsys.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: version.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: propsys.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: dwrite.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: amsi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: winmm.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: kernel.appcore.dll

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\ProgramData\Adobe\Adobe.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

.NET source code contains potential unpacker

Source: rSOD219ISF-____.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: rSOD219ISF-____.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, uThHoRE84EF1gITyGd.cs	.Net Code: MYeaQBROhclMTvHYSaD System.Reflection.Assembly.Load(byte[])
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, uThHoRE84EF1gITyGd.cs	.Net Code: MYeaQBROhclMTvHYSaD System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

2_2_0041CB50

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_05BF6AC0 push eax; ret	0_2_05BF6AC1
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_0764C6C4 push eax; retf	0_2_0764C6D1
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_07647440 push eax; retf	0_2_07647441
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_076474D0 pushfd ; retf	0_2_076474D1
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 0_2_076461E2 pushfd ; ret	0_2_076461E9
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00457106 push ecx; ret	2_2_00457119
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0045B11A push esp; ret	2_2_0045B141
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00457A28 push eax; ret	2_2_00457A46
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00434E56 push ecx; ret	2_2_00434E69
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_05BC36D5 push 59E89005h; retf	3_2_05BC36F4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_05BC51BE push 10418B05h; ret	3_2_05BC51C3
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_063B67B0 push es; ret	3_2_063B67C0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_063B67F3 push es; ret	3_2_063B67C0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_063B72A0 push es; ret	3_2_063B72B0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_063B7D50 push es; ret	3_2_063B7D60
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_063BCDF1 push es; retn 0004h	3_2_063BCE00
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_063B6AC0 push eax; ret	3_2_063B6AC1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_079AC6C4 push eax; retf	3_2_079AC6D1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_079A74D0 pushfd ; retf	3_2_079A74D1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_079A7440 push eax; retf	3_2_079A7441
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 3_2_079A61E2 pushfd ; ret	3_2_079A61E9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_10002806 push ecx; ret	4_2_10002819
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_10009FD8 push esi; ret	4_2_10009FD9
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044693D push ecx; ret	5_2_0044694D
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044DB70 push eax; ret	5_2_0044DB84
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0044DB70 push eax; ret	5_2_0044DBAC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_00451D54 push eax; ret	5_2_00451D61
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0044B090 push eax; ret	7_2_0044B0A4
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_0044B090 push eax; ret	7_2_0044B0CC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00444E71 push ecx; ret	7_2_00444E81
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00414060 push eax; ret	8_2_00414074

Source: rSOD219ISF-____.scr.exe	Static PE information: section name: .text entropy: 7.889422160436118
Source: Adobe.exe.2.dr	Static PE information: section name: .text entropy: 7.889422160436118

Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, i5n5VrJQGCTXpT1kkq.cs	High entropy of concatenated method names: 'ToString', 'blHq6OlSWk', 'AS8qCdGaUI', 'mD7qn4hh2K', 'h6MqSwwNj2', 'b09qBU4d1B', 'p2BqmlxNbU', 'hbtqNaaw3y', 'Rd4qvcNs0H', 'QtNqZfbsVI'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, OZEg7d2SGr7k1mv20n.cs	High entropy of concatenated method names: 'PbGeTe5W3L', 'PDueHydw3n', 'qKueuVs0XQ', 'Et2e9uCoYm', 'Epoe3VABub', 'HWgeqgDoWP', 'UCqgPcpvpKCL9VOpyF', 'K1lBI1kIkn4lcR8aXi', 'VLaees2mKC', 'MLBe0SQFZ9'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, axJfVqTPaMn5rIRuAK.cs	High entropy of concatenated method names: 'B6qRQnex7c', 'FuGRkDW97s', 'qVjRFIcOl5', 'g8BRocvo0I', 'xG2R3jVAHu', 'YmIRqSKOkQ', 'fG6R4xfavA', 'kGTR1kWNF7', 'QNlR5SdWxb', 'NyPR8JdXkp'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, uZfm3RlU1hd6OEUdJL.cs	High entropy of concatenated method names: 'MTafwMlLc6', 'tPvfUwS4IN', 'divfbE3P81', 'fcJfVDsYR7', 'GbNfdKLWlS', 'QxHfLtGyQv', 'XXXftXWuV1', 'vMAfglV9Ii', 'DMpfJkUxlv', 'lyIfKSbksW'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, EWYhIb9ycPQ92vbZSf.cs	High entropy of concatenated method names: 'rA9WFvYuFY', 'NBKWoM2mdd', 'zYSW2t5ieo', 'QLeWCIkRuw', 'xOZWSiFh9c', 'wc0WBrky2S', 'UBUWNAkota', 'f0KWvUjcNS', 'BhSW7fMnfx', 'L4lW6di6Ce'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, sJC4CJFmByZTDYAWLO.cs	High entropy of concatenated method names: 'NuSIbWk2Ri', 'AtCIVQe3gP', 'WGxIdpTIIq', 'ToString', 'fM3ILmVO0Y', 'J9cItYtGqF', 'W1ADuJFg33JYj40H3sm', 'shXqMCFE7kVEloj1t6K', 'Gy7LqXF1ePQcbQUt17o'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, gk82Pdm3uVJJStpMJF.cs	High entropy of concatenated method names: 'Kj9AWfRaF', 'BL0Q24JZg', 'YuCknYbng', 'TnRyk91nE', 'MSOoKjTCB', 'kBjpAEKou', 'hqKYvW64Ga9eInigVx', 'rTccmeBQBVHRYRZoTM', 'MKW1Xs4Sx', 'PRL8qLIRI'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, fPuhdCtpqqmQf2sHCi.cs	High entropy of concatenated method names: 'T9a1Ml5pIf', 'HA51fXIRnk', 'j4s1RsBB2u', 'lbA1P0BmVa', 'wkO1I5cjeH', 'scv1TFPUgQ', 'yqt1H57mkn', 'sD61OE1PPa', 'DHm1uX2pM8', 'zQX19jd2Yh'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, Gex7mNLDEfDDYsUkUT.cs	High entropy of concatenated method names: 'yyA37UPh6j', 'KhB3scZnRm', 'ixx3wqC9yC', 't4G3U65WZh', 'PDf3CpsSUm', 'm1H3nYHVNs', 'fgj3SFd0OH', 'Snm3BOH62U', 'KjK3mkAxCW', 'Qtr3NY5Fby'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, oDuKYOGkBsXLOWcVE0.cs	High entropy of concatenated method names: 'AJvcKQFO2lpUDmwP6oc', 'kfDr3IFhA1BgZSEOupm', 'W97I193Lic', 'YuII5h233w', 'p5MI83srLG', 'qbEocBFolhoRTrajpqD', 'zCmOqZFXH16090OHMNo'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, V8H4QPVOYC71CL5RRn.cs	High entropy of concatenated method names: 'PwK4gguBB0', 'CZR4KdjfG4', 'ISD1hQxoEE', 'AWy1e3doRN', 'e8f46CknVm', 'vC14sMjqF1', 'Xts4EvdEGu', 'acJ4wcTyiO', 'GlJ4UfCmMJ', 'lMd4bV7gFs'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, K3fGHca5oQqjcXWxgSE.cs	High entropy of concatenated method names: 'mxy5X7QPfs', 'd3y5Gj3JE7', 'ceg5A9pfj0', 'Gd45Qtypu9', 'aFj5rAusdP', 'UOH5ka8PE5', 'f485yvyI1b', 'W7f5F43W01', 'FO75o7wx1Z', 'vT25pWE8cw'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, XFIssgkyXcVofJg00e.cs	High entropy of concatenated method names: 'zxfIDWBbQM', 'lLOIfj7Gcc', 'pZTIPhsyEp', 'potITpCPjQ', 'tHkIHn9E8C', 'fYZPdGoMGC', 'kifPLTXXcQ', 'POUPt3a2I8', 'jXFPg0qFbb', 'qQvPJBuDjb'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, cvVL404Sdtk3qjoJ6U.cs	High entropy of concatenated method names: 'Dispose', 'fmHeJWR2my', 'OrBxC3G1gP', 'DbwccBL0CO', 'mcveKs1Q3L', 'yEbezZhajy', 'ProcessDialogKey', 'QOCxhEFHXY', 'sgvxeN9Cw2', 'TQAxxt5c6G'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, kVA9iEcQxxcd5xUhYd.cs	High entropy of concatenated method names: 'e8j4u8F6k1', 'fyn49LW4IW', 'ToString', 'RKT4Mvu858', 'XiE4fXGNU5', 'mQB4RXHfFQ', 'KF44PrH2tj', 'IEb4IwbCP4', 'FVh4TqvAif', 'AhF4HQK9FE'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, d8G6GRaaoChup947BTr.cs	High entropy of concatenated method names: 'ToString', 'Nfc802BQC5', 'RFI8j5hGh1', 'cBD8DgFjuf', 'cLl8MD4CWb', 'V4B8fnaXPq', 'm5N8RVkbd6', 'wLS8PBghO4', 'OJUItUrW5hx4AY74xHc', 'rMoNa1rjiWympLtEhCs'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, VuriiyzBu8w4rGrnZ9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LNk5WmNwLy', 'BTH53tfAro', 'DoV5q1SlXY', 'gwQ54oejqa', 'zQQ51PMW2f', 'Nf055asfpV', 'e7158HhXqo'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, zxOd2JMxwjTOGkv25m.cs	High entropy of concatenated method names: 'Rvd12EBrN2', 'U0P1CTxBqa', 'OLt1nLYkm3', 'amk1SbnYyw', 'YoQ1wnXke6', 'YXl1BBnfn9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, tH4bULuoCGXrYWlQsk.cs	High entropy of concatenated method names: 'D4MTMEVFDh', 'ECtTRAbb4T', 'HCITIp2KF7', 'aIaIKgY29K', 'JxNIzVIkYZ', 'FylThPnrXS', 'kV1TedLKAk', 'uNkTxh77Qj', 'yCcT0LVQee', 'NrgTjdlud6'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, V6lLTXDoH1543aLswB.cs	High entropy of concatenated method names: 'gSyTXt1J4x', 'Tn4TGhHxtd', 'SiWTAoEETh', 'EZjTQwuCJ2', 'lsjTrZERt5', 'FeaTkigTEf', 'zK1Tyyk1ZS', 'M53TFHP0EE', 'ynBToSMVbT', 'mAHTpDV5XX'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, THVnBtaOLQ4lNrcvJeh.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Jjl8w9FGhi', 'W1W8UIN4S4', 'S2H8b1clyK', 'ikH8VhX8m8', 'Txe8dU3vSw', 'gvP8L7wUrQ', 'NY58t0hfFh'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, h8A6mUNkIXwwJSoV9b.cs	High entropy of concatenated method names: 'OsuPror0qQ', 'zo2PyVa241', 'L7gRnGRfGH', 'zxLRSIU62b', 'tU9RBPbAEh', 'c2nRmkXPI0', 'I5mRNDLE7c', 'K3ERvIOCCD', 'rebRZLRFjV', 'FJ5R7Z4ivm'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, uThHoRE84EF1gITyGd.cs	High entropy of concatenated method names: 'aWo0D8Pebo', 'meK0MjC1sq', 'hs60fjtOjm', 'fa80R0BWCh', 'EIY0Pw7C4Y', 'yJZ0I6MrRA', 'yx70T7uewx', 'iLB0HiaMcR', 'YPh0Owk7Kq', 'IpF0uMnBAA'
Source: 0.2.rSOD219ISF-____.scr.exe.7ed0000.6.raw.unpack, b7lVpn1tLur0thox8f.cs	High entropy of concatenated method names: 'AW65e1UDB4', 'sDm50ImTyT', 'C6y5jV2aAf', 'LUS5M71UVs', 'g5Y5fObeNE', 'E0W5Pmhb1y', 'Ewp5I02HBC', 'DwF1tiT1LZ', 'lXg1g3jJAi', 'o5E1JaFRkd'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, i5n5VrJQGCTXpT1kkq.cs	High entropy of concatenated method names: 'ToString', 'blHq6OlSWk', 'AS8qCdGaUI', 'mD7qn4hh2K', 'h6MqSwwNj2', 'b09qBU4d1B', 'p2BqmlxNbU', 'hbtqNaaw3y', 'Rd4qvcNs0H', 'QtNqZfbsVI'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, OZEg7d2SGr7k1mv20n.cs	High entropy of concatenated method names: 'PbGeTe5W3L', 'PDueHydw3n', 'qKueuVs0XQ', 'Et2e9uCoYm', 'Epoe3VABub', 'HWgeqgDoWP', 'UCqgPcpvpKCL9VOpyF', 'K1lBI1kIkn4lcR8aXi', 'VLaees2mKC', 'MLBe0SQFZ9'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, axJfVqTPaMn5rIRuAK.cs	High entropy of concatenated method names: 'B6qRQnex7c', 'FuGRkDW97s', 'qVjRFIcOl5', 'g8BRocvo0I', 'xG2R3jVAHu', 'YmIRqSKOkQ', 'fG6R4xfavA', 'kGTR1kWNF7', 'QNlR5SdWxb', 'NyPR8JdXkp'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, uZfm3RlU1hd6OEUdJL.cs	High entropy of concatenated method names: 'MTafwMlLc6', 'tPvfUwS4IN', 'divfbE3P81', 'fcJfVDsYR7', 'GbNfdKLWlS', 'QxHfLtGyQv', 'XXXftXWuV1', 'vMAfglV9Ii', 'DMpfJkUxlv', 'lyIfKSbksW'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, EWYhIb9ycPQ92vbZSf.cs	High entropy of concatenated method names: 'rA9WFvYuFY', 'NBKWoM2mdd', 'zYSW2t5ieo', 'QLeWCIkRuw', 'xOZWSiFh9c', 'wc0WBrky2S', 'UBUWNAkota', 'f0KWvUjcNS', 'BhSW7fMnfx', 'L4lW6di6Ce'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, sJC4CJFmByZTDYAWLO.cs	High entropy of concatenated method names: 'NuSIbWk2Ri', 'AtCIVQe3gP', 'WGxIdpTIIq', 'ToString', 'fM3ILmVO0Y', 'J9cItYtGqF', 'W1ADuJFg33JYj40H3sm', 'shXqMCFE7kVEloj1t6K', 'Gy7LqXF1ePQcbQUt17o'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, gk82Pdm3uVJJStpMJF.cs	High entropy of concatenated method names: 'Kj9AWfRaF', 'BL0Q24JZg', 'YuCknYbng', 'TnRyk91nE', 'MSOoKjTCB', 'kBjpAEKou', 'hqKYvW64Ga9eInigVx', 'rTccmeBQBVHRYRZoTM', 'MKW1Xs4Sx', 'PRL8qLIRI'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, fPuhdCtpqqmQf2sHCi.cs	High entropy of concatenated method names: 'T9a1Ml5pIf', 'HA51fXIRnk', 'j4s1RsBB2u', 'lbA1P0BmVa', 'wkO1I5cjeH', 'scv1TFPUgQ', 'yqt1H57mkn', 'sD61OE1PPa', 'DHm1uX2pM8', 'zQX19jd2Yh'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, Gex7mNLDEfDDYsUkUT.cs	High entropy of concatenated method names: 'yyA37UPh6j', 'KhB3scZnRm', 'ixx3wqC9yC', 't4G3U65WZh', 'PDf3CpsSUm', 'm1H3nYHVNs', 'fgj3SFd0OH', 'Snm3BOH62U', 'KjK3mkAxCW', 'Qtr3NY5Fby'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, oDuKYOGkBsXLOWcVE0.cs	High entropy of concatenated method names: 'AJvcKQFO2lpUDmwP6oc', 'kfDr3IFhA1BgZSEOupm', 'W97I193Lic', 'YuII5h233w', 'p5MI83srLG', 'qbEocBFolhoRTrajpqD', 'zCmOqZFXH16090OHMNo'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, V8H4QPVOYC71CL5RRn.cs	High entropy of concatenated method names: 'PwK4gguBB0', 'CZR4KdjfG4', 'ISD1hQxoEE', 'AWy1e3doRN', 'e8f46CknVm', 'vC14sMjqF1', 'Xts4EvdEGu', 'acJ4wcTyiO', 'GlJ4UfCmMJ', 'lMd4bV7gFs'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, K3fGHca5oQqjcXWxgSE.cs	High entropy of concatenated method names: 'mxy5X7QPfs', 'd3y5Gj3JE7', 'ceg5A9pfj0', 'Gd45Qtypu9', 'aFj5rAusdP', 'UOH5ka8PE5', 'f485yvyI1b', 'W7f5F43W01', 'FO75o7wx1Z', 'vT25pWE8cw'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, XFIssgkyXcVofJg00e.cs	High entropy of concatenated method names: 'zxfIDWBbQM', 'lLOIfj7Gcc', 'pZTIPhsyEp', 'potITpCPjQ', 'tHkIHn9E8C', 'fYZPdGoMGC', 'kifPLTXXcQ', 'POUPt3a2I8', 'jXFPg0qFbb', 'qQvPJBuDjb'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, cvVL404Sdtk3qjoJ6U.cs	High entropy of concatenated method names: 'Dispose', 'fmHeJWR2my', 'OrBxC3G1gP', 'DbwccBL0CO', 'mcveKs1Q3L', 'yEbezZhajy', 'ProcessDialogKey', 'QOCxhEFHXY', 'sgvxeN9Cw2', 'TQAxxt5c6G'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, kVA9iEcQxxcd5xUhYd.cs	High entropy of concatenated method names: 'e8j4u8F6k1', 'fyn49LW4IW', 'ToString', 'RKT4Mvu858', 'XiE4fXGNU5', 'mQB4RXHfFQ', 'KF44PrH2tj', 'IEb4IwbCP4', 'FVh4TqvAif', 'AhF4HQK9FE'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, d8G6GRaaoChup947BTr.cs	High entropy of concatenated method names: 'ToString', 'Nfc802BQC5', 'RFI8j5hGh1', 'cBD8DgFjuf', 'cLl8MD4CWb', 'V4B8fnaXPq', 'm5N8RVkbd6', 'wLS8PBghO4', 'OJUItUrW5hx4AY74xHc', 'rMoNa1rjiWympLtEhCs'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, VuriiyzBu8w4rGrnZ9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LNk5WmNwLy', 'BTH53tfAro', 'DoV5q1SlXY', 'gwQ54oejqa', 'zQQ51PMW2f', 'Nf055asfpV', 'e7158HhXqo'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, zxOd2JMxwjTOGkv25m.cs	High entropy of concatenated method names: 'Rvd12EBrN2', 'U0P1CTxBqa', 'OLt1nLYkm3', 'amk1SbnYyw', 'YoQ1wnXke6', 'YXl1BBnfn9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, tH4bULuoCGXrYWlQsk.cs	High entropy of concatenated method names: 'D4MTMEVFDh', 'ECtTRAbb4T', 'HCITIp2KF7', 'aIaIKgY29K', 'JxNIzVIkYZ', 'FylThPnrXS', 'kV1TedLKAk', 'uNkTxh77Qj', 'yCcT0LVQee', 'NrgTjdlud6'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, V6lLTXDoH1543aLswB.cs	High entropy of concatenated method names: 'gSyTXt1J4x', 'Tn4TGhHxtd', 'SiWTAoEETh', 'EZjTQwuCJ2', 'lsjTrZERt5', 'FeaTkigTEf', 'zK1Tyyk1ZS', 'M53TFHP0EE', 'ynBToSMVbT', 'mAHTpDV5XX'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, THVnBtaOLQ4lNrcvJeh.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Jjl8w9FGhi', 'W1W8UIN4S4', 'S2H8b1clyK', 'ikH8VhX8m8', 'Txe8dU3vSw', 'gvP8L7wUrQ', 'NY58t0hfFh'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, h8A6mUNkIXwwJSoV9b.cs	High entropy of concatenated method names: 'OsuPror0qQ', 'zo2PyVa241', 'L7gRnGRfGH', 'zxLRSIU62b', 'tU9RBPbAEh', 'c2nRmkXPI0', 'I5mRNDLE7c', 'K3ERvIOCCD', 'rebRZLRFjV', 'FJ5R7Z4ivm'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, uThHoRE84EF1gITyGd.cs	High entropy of concatenated method names: 'aWo0D8Pebo', 'meK0MjC1sq', 'hs60fjtOjm', 'fa80R0BWCh', 'EIY0Pw7C4Y', 'yJZ0I6MrRA', 'yx70T7uewx', 'iLB0HiaMcR', 'YPh0Owk7Kq', 'IpF0uMnBAA'
Source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, b7lVpn1tLur0thox8f.cs	High entropy of concatenated method names: 'AW65e1UDB4', 'sDm50ImTyT', 'C6y5jV2aAf', 'LUS5M71UVs', 'g5Y5fObeNE', 'E0W5Pmhb1y', 'Ewp5I02HBC', 'DwF1tiT1LZ', 'lXg1g3jJAi', 'o5E1JaFRkd'

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

File written: C:\ProgramData\Adobe\Adobe.exe

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

2_2_00406EB0

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

File created: C:\ProgramData\Adobe\Adobe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

File created: C:\ProgramData\Adobe\Adobe.exe

Jump to dropped file

Boot Survival

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK

Delayed program exit found

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_0041AA4A

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK	Jump to behavior

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

2_2_0041CB50

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Adobe\Adobe.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: rSOD219ISF-____.scr.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7928, type: MEMORYSTR

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_0040F7A7 Sleep,ExitProcess,

2_2_0040F7A7

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Memory allocated: FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Memory allocated: 2930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Memory allocated: 9630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Memory allocated: 8090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Memory allocated: A630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Memory allocated: B630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 9910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 7FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: A910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: B910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 8FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 9FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: A1B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: B1B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 1900000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 32C0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 52C0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 9850000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: A850000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: AA70000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: BA70000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 18E0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 3670000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 1CE0000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: 9930000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: A930000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: AB40000 memory reserve \| memory write watch
Source: C:\ProgramData\Adobe\Adobe.exe	Memory allocated: BB40000 memory reserve \| memory write watch

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 5_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

5_2_0040DD85

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

2_2_0041A748

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 239891	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 239766	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 239641	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 239531	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 239421	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 239312	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 239199	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 239094	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 238984	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 238875	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 238766	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 238655	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 238531	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 238393	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 237984	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 237828	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239859	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239749	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239641	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239516	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239406	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239297	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239890	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239780	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239648	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239531	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239422	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239313	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 240000
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239860
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239735
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239625
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239516
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239366
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239032
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 238813
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 240000
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239874
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239763
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239649
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239531
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239375
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239016
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 238758
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 238625

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Window / User API: threadDelayed 968	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Window / User API: threadDelayed 1993	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 1153	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 385	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 9602	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 802	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 387	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 355
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 781
Source: C:\ProgramData\Adobe\Adobe.exe	Window / User API: threadDelayed 778

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Evaded block: after key decision			graph_2-47075
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Evaded block: after key decision			graph_2-47051

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	API coverage: 6.6 %
Source: C:\ProgramData\Adobe\Adobe.exe	API coverage: 9.5 %

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -239891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -239766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -239641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -239531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -239421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -239312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -239199s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -239094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -238984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -238875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -238766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -238655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -238531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -238393s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -237984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 5228	Thread sleep time: -237828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe TID: 6112	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7196	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7196	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7196	Thread sleep time: -239859s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7196	Thread sleep time: -239749s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7196	Thread sleep time: -239641s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7196	Thread sleep time: -239516s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7196	Thread sleep time: -239406s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7196	Thread sleep time: -239297s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7180	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7244	Thread sleep count: 385 > 30	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7244	Thread sleep time: -1155000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7244	Thread sleep count: 9602 > 30	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7244	Thread sleep time: -28806000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7516	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7516	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7516	Thread sleep time: -239890s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7516	Thread sleep time: -239780s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7516	Thread sleep time: -239648s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7516	Thread sleep time: -239531s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7516	Thread sleep time: -239422s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7516	Thread sleep time: -239313s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7844	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7844	Thread sleep time: -240000s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7844	Thread sleep time: -239860s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7844	Thread sleep time: -239735s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7844	Thread sleep time: -239625s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7844	Thread sleep time: -239516s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7844	Thread sleep time: -239366s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7844	Thread sleep time: -239032s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7844	Thread sleep time: -238813s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7828	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7964	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7964	Thread sleep time: -240000s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7964	Thread sleep time: -239874s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7964	Thread sleep time: -239763s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7964	Thread sleep time: -239649s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7964	Thread sleep time: -239531s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7964	Thread sleep time: -239375s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7964	Thread sleep time: -239016s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7964	Thread sleep time: -238758s >= -30000s
Source: C:\ProgramData\Adobe\Adobe.exe TID: 7964	Thread sleep time: -238625s >= -30000s

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	2_2_00409253
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	2_2_0041C291
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	2_2_0040C34D
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	2_2_00409665
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	2_2_0040880C
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0040783C FindFirstFileW,FindNextFileW,	2_2_0040783C
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	2_2_00419AF5
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_0040BB30
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	2_2_0040BD37
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_100010F1
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 5_2_0040AE51 FindFirstFileW,FindNextFileW,	5_2_0040AE51
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 7_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	7_2_00407EF8
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 8_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	8_2_00407898

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

2_2_00407C97

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 5_2_00418981 memset,GetSystemInfo,

5_2_00418981

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 239891	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 239766	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 239641	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 239531	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 239421	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 239312	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 239199	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 239094	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 238984	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 238875	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 238766	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 238655	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 238531	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 238393	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 237984	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 237828	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239859	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239749	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239641	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239516	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239406	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239297	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239890	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239780	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239648	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239531	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239422	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239313	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 240000
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239860
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239735
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239625
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239516
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239366
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239032
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 238813
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 240000
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239874
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239763
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239649
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239531
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239375
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 239016
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 238758
Source: C:\ProgramData\Adobe\Adobe.exe	Thread delayed: delay time: 238625

Source: Adobe.exe, 00000004.00000002.4178605857.000000000160C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW1
Source: Adobe.exe, 00000004.00000002.4178218379.0000000001597000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000004.00000002.4178605857.000000000160C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhv96DB.tmp.5.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: bhv96DB.tmp.5.dr	Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US

Source: C:\ProgramData\Adobe\Adobe.exe

API call chain: ExitProcess graph end node

Source: C:\ProgramData\Adobe\Adobe.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_004349F9

Source: C:\ProgramData\Adobe\Adobe.exe

5_2_0040DD85

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

2_2_0041CB50

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_004432B5 mov eax, dword ptr fs:[00000030h]		2_2_004432B5
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_10004AB4 mov eax, dword ptr fs:[00000030h]		4_2_10004AB4

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_00412077 GetProcessHeap,HeapFree,

2_2_00412077

Source: C:\ProgramData\Adobe\Adobe.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004349F9
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00434B47 SetUnhandledExceptionFilter,	2_2_00434B47
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0043BB22
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: 2_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00434FDC
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_100060E2
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_10002639
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: 4_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_10002B1C

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Memory allocated: page read and write | page guard

Injects a PE file into a foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Memory written: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Memory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5A
Source: C:\ProgramData\Adobe\Adobe.exe	Memory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and write	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Section loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

2_2_00412117

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_00419627 mouse_event,

2_2_00419627

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process created: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe "C:\Users\user\Desktop\rSOD219ISF-____.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\trjggazotdeaznpdaliydbqndn"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\dtpyhskqhlwfkbdpjwuzggcwmubqst"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\dtpyhskqhlwfkbdpjwuzggcwmubqst"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\onurakujvtpjmhztaghtrsxnnatrlexmp"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
Source: C:\ProgramData\Adobe\Adobe.exe	Process created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"

Source: Adobe.exe, 00000004.00000002.4178605857.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerG
Source: Adobe.exe, 00000004.00000002.4178605857.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Adobe.exe, 00000004.00000002.4178605857.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager0
Source: Adobe.exe, 00000004.00000002.4178605857.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5
Source: Adobe.exe, 00000004.00000002.4178605857.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_00434C52 cpuid

2_2_00434C52

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: EnumSystemLocalesW,	2_2_00452036
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_004520C3
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: GetLocaleInfoW,	2_2_00452313
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: EnumSystemLocalesW,	2_2_00448404
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0045243C
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: GetLocaleInfoW,	2_2_00452543
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00452610
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: GetLocaleInfoA,	2_2_0040F8D1
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: GetLocaleInfoW,	2_2_004488ED
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_00451CD8
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: EnumSystemLocalesW,	2_2_00451F50
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: EnumSystemLocalesW,	2_2_00451F9B

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\Adobe\Adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_0040B164 GetLocalTime,wsprintfW,

2_2_0040B164

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_0041B60D GetUserNameW,

2_2_0041B60D

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: 2_2_004493AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_004493AD

Source: C:\ProgramData\Adobe\Adobe.exe

Code function: 5_2_0041739B GetVersionExW,

5_2_0041739B

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Contains functionality to steal Chrome passwords or cookies

Source: Yara match	File source: 2.2.rSOD219ISF-____.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rSOD219ISF-____.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1933496998.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1731258252.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2015515611.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1847433881.0000000001507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2041165688.0000000004671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4178218379.0000000001597000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1733891519.0000000003AE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rSOD219ISF-____.scr.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rSOD219ISF-____.scr.exe PID: 6756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 8000, type: MEMORYSTR

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

2_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		2_2_0040BB30
Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe	Code function: \key3.db		2_2_0040BB30

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\ProgramData\Adobe\Adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\ProgramData\Adobe\Adobe.exe	Code function: ESMTPPassword	7_2_004033F0
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	7_2_00402DB3
Source: C:\ProgramData\Adobe\Adobe.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	7_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match

File source: Process Memory Space: Adobe.exe PID: 7420, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 2.2.rSOD219ISF-____.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rSOD219ISF-____.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3d1e350.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3c63b30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSOD219ISF-____.scr.exe.3ba9310.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1933496998.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1731258252.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2015515611.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1847433881.0000000001507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2041165688.0000000004671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4178218379.0000000001597000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1733891519.0000000003AE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rSOD219ISF-____.scr.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rSOD219ISF-____.scr.exe PID: 6756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 7928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adobe.exe PID: 8000, type: MEMORYSTR

Source: C:\Users\user\Desktop\rSOD219ISF-____.scr.exe

Code function: cmd.exe

2_2_0040569A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	3 Obfuscated Files or Information	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	12 Software Packing	3 Credentials In Files	3 File and Directory Discovery	Distributed Component Object Model	111 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	222 Process Injection	1 DLL Side-Loading	LSA Secrets	38 System Information Discovery	SSH	3 Clipboard Data	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 Bypass User Account Control	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	222 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rSOD219ISF-____.scr.exe	26%	ReversingLabs
rSOD219ISF-____.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Adobe\Adobe.exe	100%	Joe Sandbox ML
C:\ProgramData\Adobe\Adobe.exe	26%	ReversingLabs

Source	Detection	Scanner	Label
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.imvu.comr	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://login.yahoo.com/config/login	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.imvu.com	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.ebuddy.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geoplugin.net	178.237.33.50	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
104.250.180.178	true		unknown
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.imvu.comr	Adobe.exe, 00000008.00000002.1822520343.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W	bhv96DB.tmp.5.dr	false		unknown
https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad	bhv96DB.tmp.5.dr	false		unknown
http://www.fontbureau.com/designers?	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingth	bhv96DB.tmp.5.dr	false		unknown
http://geoplugin.net/json.gp.	Adobe.exe, 00000004.00000002.4178605857.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc	bhv96DB.tmp.5.dr	false		unknown
http://www.tiro.com	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.nirsoft.net	Adobe.exe, 00000005.00000002.1828485865.00000000007C4000.00000004.00000010.00020000.00000000.sdmp	false		unknown
https://aefd.nelreports.net/api/report?cat=bingaotak	bhv96DB.tmp.5.dr	false		unknown
https://deff.nelreports.net/api/report?cat=msn	bhv96DB.tmp.5.dr	false	URL Reputation: safe	unknown
https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr	bhv96DB.tmp.5.dr	false		unknown
http://www.goodfont.co.kr	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742	bhv96DB.tmp.5.dr	false		unknown
https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr	bhv96DB.tmp.5.dr	false		unknown
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	Adobe.exe, 00000008.00000002.1822520343.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		unknown
https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51	bhv96DB.tmp.5.dr	false		unknown
http://www.sajatypeworks.com	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	Adobe.exe, Adobe.exe, 00000008.00000002.1822520343.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		unknown
http://www.founder.com.cn/cn/cThe	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c	bhv96DB.tmp.5.dr	false		unknown
http://www.galapagosdesign.com/staff/dennis.htm	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://geoplugin.net/json.gp/C	rSOD219ISF-____.scr.exe, 00000000.00000002.1733891519.0000000003AE2000.00000004.00000800.00020000.00000000.sdmp, rSOD219ISF-____.scr.exe, 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Adobe.exe, 00000011.00000002.2041165688.0000000004671000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://maps.windows.com/windows-app-web-link	bhv96DB.tmp.5.dr	false		unknown
https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat	bhv96DB.tmp.5.dr	false		unknown
http://www.galapagosdesign.com/DPlease	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8	bhv96DB.tmp.5.dr	false		unknown
https://login.yahoo.com/config/login	Adobe.exe	false	URL Reputation: safe	unknown
http://www.fonts.com	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.nirsoft.net/	Adobe.exe, 00000008.00000002.1822520343.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		unknown
http://www.zhongyicts.com.cn	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rSOD219ISF-____.scr.exe, 00000000.00000002.1731455091.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, rSOD219ISF-____.scr.exe, 00000000.00000002.1731455091.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.1743546290.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.1743546290.0000000003274000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000009.00000002.1850620884.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000009.00000002.1850620884.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000E.00000002.1936073198.00000000032EB000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000E.00000002.1936073198.0000000003361000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000011.00000002.2020151696.000000000369B000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000011.00000002.2020151696.000000000370D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d	bhv96DB.tmp.5.dr	false		unknown
https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d	bhv96DB.tmp.5.dr	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	bhv96DB.tmp.5.dr	false	URL Reputation: safe	unknown
https://www.office.com/	bhv96DB.tmp.5.dr	false		unknown
http://www.apache.org/licenses/LICENSE-2.0	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8	bhv96DB.tmp.5.dr	false		unknown
https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68	bhv96DB.tmp.5.dr	false		unknown
https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2	bhv96DB.tmp.5.dr	false		unknown
http://geoplugin.net/json.gpl	Adobe.exe, 00000004.00000002.4178605857.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d	bhv96DB.tmp.5.dr	false		unknown
https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437	bhv96DB.tmp.5.dr	false		unknown
http://www.imvu.com	Adobe.exe, Adobe.exe, 00000008.00000002.1822520343.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aefd.nelreports.net/api/report?cat=wsb	bhv96DB.tmp.5.dr	false		unknown
https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326	bhv96DB.tmp.5.dr	false		unknown
http://www.carterandcone.coml	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03	bhv96DB.tmp.5.dr	false		unknown
http://www.fontbureau.com/designers/cabarga.htmlN	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingaot	bhv96DB.tmp.5.dr	false		unknown
https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae	bhv96DB.tmp.5.dr	false		unknown
https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7	bhv96DB.tmp.5.dr	false		unknown
http://www.jiyu-kobo.co.jp/	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	rSOD219ISF-____.scr.exe, 00000000.00000002.1736598400.0000000007162000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD	bhv96DB.tmp.5.dr	false		unknown
https://aefd.nelreports.net/api/report?cat=bingrms	bhv96DB.tmp.5.dr	false		unknown
https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993	bhv96DB.tmp.5.dr	false		unknown
https://www.google.com/accounts/servicelogin	Adobe.exe	false		unknown
https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5	bhv96DB.tmp.5.dr	false		unknown
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3	bhv96DB.tmp.5.dr	false		unknown
https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135	bhv96DB.tmp.5.dr	false		unknown
https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59	bhv96DB.tmp.5.dr	false		unknown
http://www.ebuddy.com	Adobe.exe, Adobe.exe, 00000008.00000002.1822520343.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.250.180.178	unknown	United States		9009	M247GB	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1534674
Start date and time:	2024-10-16 05:31:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rSOD219ISF-____.scr.exe
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.expl.evad.winEXE@26/7@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 287 Number of non-executed functions: 252
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: rSOD219ISF-____.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
04:32:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK "C:\ProgramData\Adobe\Adobe.exe"
04:32:15	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK "C:\ProgramData\Adobe\Adobe.exe"
04:32:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK "C:\ProgramData\Adobe\Adobe.exe"
23:32:02	API Interceptor	19x Sleep call for process: rSOD219ISF-____.scr.exe modified
23:32:04	API Interceptor	4804156x Sleep call for process: Adobe.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.250.180.178	rWWTLCLtoUSADCL.scr.exe	Get hash	malicious	XWorm	Browse
	ttCOg61bOg.exe	Get hash	malicious	Remcos	Browse
	SKM_C364e24092511300346565787689900142344656767788755634232343456768953334466870.scr.exe	Get hash	malicious	Remcos	Browse
	ISF #U8a02#U8259#U55ae - KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Get hash	malicious	XWorm	Browse
	ISF 10+2 - SO - SO 4042 - ROTHENBERGER USA, INC#U51fa#U8ca8 TWSE0211390.scr.exe	Get hash	malicious	Remcos	Browse
	F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Get hash	malicious	XWorm	Browse
	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Get hash	malicious	XWorm	Browse
	6122.scr.exe	Get hash	malicious	Remcos	Browse
	6122.scr.exe	Get hash	malicious	Remcos	Browse
	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Get hash	malicious	XWorm	Browse
178.237.33.50	1729022872b8fae641a98b236571422197a34480f404f44291e36642b114aee58fc24f5bb1699.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1729014968354a73a6dcba5a43f0dc2c4d615a55b43a024f5a7b8361ffa956895f39b62184812.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	KULI500796821_PO20000003.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	na.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	geoplugin.net/json.gp
	Untitled_15-10-04.xls	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Image_Attachments.xls	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	rComandaKOMARONTRADESRL435635Lukketid.bat	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	remcos.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Accounts.exe	Get hash	malicious	DBatLoader, Remcos	Browse	geoplugin.net/json.gp
	na.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geoplugin.net	1729022872b8fae641a98b236571422197a34480f404f44291e36642b114aee58fc24f5bb1699.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1729014968354a73a6dcba5a43f0dc2c4d615a55b43a024f5a7b8361ffa956895f39b62184812.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	KULI500796821_PO20000003.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	na.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	178.237.33.50
	Untitled_15-10-04.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	Image_Attachments.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	rComandaKOMARONTRADESRL435635Lukketid.bat	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	remcos.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Accounts.exe	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	na.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	rWWTLCLtoUSADCL.scr.exe	Get hash	malicious	XWorm	Browse	104.250.180.178
	rComandaKOMARONTRADESRL435635Lukketid.bat	Get hash	malicious	Remcos, GuLoader	Browse	185.236.203.100
	FedEx_AWB#7805323204.exe	Get hash	malicious	Remcos	Browse	45.133.116.119
	https://crazy-moments.com	Get hash	malicious	Unknown	Browse	91.202.233.164
	na.elf	Get hash	malicious	Mirai	Browse	92.249.48.64
	na.elf	Get hash	malicious	Mirai	Browse	92.249.48.64
	na.elf	Get hash	malicious	Mirai	Browse	92.249.48.64
	na.elf	Get hash	malicious	Mirai	Browse	92.249.48.64
	na.elf	Get hash	malicious	Mirai	Browse	92.249.48.64
	na.elf	Get hash	malicious	Mirai	Browse	92.249.48.64
ATOM86-ASATOM86NL	1729022872b8fae641a98b236571422197a34480f404f44291e36642b114aee58fc24f5bb1699.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1729014968354a73a6dcba5a43f0dc2c4d615a55b43a024f5a7b8361ffa956895f39b62184812.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	KULI500796821_PO20000003.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	na.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	178.237.33.50
	Untitled_15-10-04.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	Image_Attachments.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	rComandaKOMARONTRADESRL435635Lukketid.bat	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	remcos.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Accounts.exe	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	na.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	178.237.33.50

Process:	C:\Users\user\Desktop\rSOD219ISF-____.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	940032
Entropy (8bit):	7.882482238123695
Encrypted:	false
SSDEEP:	24576:gRne6cHoCTTWJM8ipw1x6a/agcW8QhGM31u74Pw:gRne6cINh1XCgcW8ulw
MD5:	C50245598F59F8EF84262DD0D82D6E53
SHA1:	7DA1807F04997B506E0AE563E2064EBC050095AF
SHA-256:	7A9E36961AB5B2AB759EC2196D40618B1F43C5A04C40C01B31CFB4EA1ADFC347
SHA-512:	E34997748B88C9A28FF3CC16E04D1B12BB5ED9EEBDE0666D5FDCBBD0D2E8B0C98931D23B84875F05140A67F7160E182BD57D85608EF8E56EEAC1104BF8840756
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X$.g..............0..<..........vZ... ...`....@.. ....................................@.................................$Z..O....`..(............................................................................ ............... ..H............text....:... ...<.................. ..`.rsrc...(....`.......>..............@..@.reloc...............V..............@..B................XZ......H.......Hu...`......(...D.................................................{......{....V.( .....}......}.......0..C........u........6.,0(!....{.....{....o"...,.(#....{.....{....o$...+..+... .[\. )UU.Z(!....{....o%...X )UU.Z(#....{....o&...X.0..b........r...p......%..{.......%q.........-.&.+.......o'....%..{.......%q.........-.&.+.......o'....((.....{).....{...V.( .....}).....}....0..C........u........6.,0(!....{)....{)...o"...,.(#....{....{...o$...+..+... (.=. )U

C:\ProgramData\Adobe\Adobe.exe:Zone.Identifier

Process:	C:\Users\user\Desktop\rSOD219ISF-____.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Adobe.exe.log

Process:	C:\ProgramData\Adobe\Adobe.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1506
Entropy (8bit):	5.354907256054077
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4XE4KnKDE4KhKiKhPKIE4oKNzKoZAE4KzeUE4KMRSE4x84j:MIHK5HKH1qHXHKnYHKh3oPtHo6hAHKz+
MD5:	3B0DCCA7437EE4A18285BC0E1E6820A5
SHA1:	612D1CDBB4133A546DA61CAA1F54C3368912905E
SHA-256:	CC1F6DABF5200875C241AF1890C8F2B54373CFC7BAFB5A48FD2841E4ABFE8BA1
SHA-512:	1A0CC564FDC650EF6965EC77999EA578CCD45C19972080C1B789EEB61A46A4452B37F8557E394C2A4C9D66AB8A4742E855B8804CDD44FDFB52C6173399CA6B0E
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c5619

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rSOD219ISF-____.scr.exe.log

Process:	C:\Users\user\Desktop\rSOD219ISF-____.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1506
Entropy (8bit):	5.354907256054077
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4XE4KnKDE4KhKiKhPKIE4oKNzKoZAE4KzeUE4KMRSE4x84j:MIHK5HKH1qHXHKnYHKh3oPtHo6hAHKz+
MD5:	3B0DCCA7437EE4A18285BC0E1E6820A5
SHA1:	612D1CDBB4133A546DA61CAA1F54C3368912905E
SHA-256:	CC1F6DABF5200875C241AF1890C8F2B54373CFC7BAFB5A48FD2841E4ABFE8BA1
SHA-512:	1A0CC564FDC650EF6965EC77999EA578CCD45C19972080C1B789EEB61A46A4452B37F8557E394C2A4C9D66AB8A4742E855B8804CDD44FDFB52C6173399CA6B0E
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c5619

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

Process:	C:\ProgramData\Adobe\Adobe.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	956
Entropy (8bit):	5.016616617248742
Encrypted:	false
SSDEEP:	12:tkTLJend6UGkMyGWKyGXPVGArwY3AoQasHuGvB+Arpv/mOAaNO+ao9W7iN5zzkwV:qpSdVauKyGX85MEBZvXhNlT3/7l1DYro
MD5:	9220BE8AB34657C7535C5A2582857DC7
SHA1:	2BE54CB6D990A4F9C6D6AE30A618EAB88F181634
SHA-256:	0E97AB60A1FF8EECB241E186B7C690D4900E2922FBAE2125DA469EADEAAFD1F0
SHA-512:	23D31D1370AE2F5663F5957BA204BC16EA15E0B7F37669D55E3BB14B594FAAAA782E52926CED9E5D87E915910DF48945D57B7CC04CF44C3C7CE095EFB4D3BE01
Malicious:	false
Preview:	{. "geoplugin_request":"155.94.241.186",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Dallas",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"623",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"32.8137",. "geoplugin_longitude":"-96.8704",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Temp\bhv96DB.tmp

Process:	C:\ProgramData\Adobe\Adobe.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xb9cde1ef, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	20447232
Entropy (8bit):	1.2827232622352809
Encrypted:	false
SSDEEP:	12288:+p0e+Mk76KAOfvUDL27+S25cF5FAHdO9uF:DML3Do+
MD5:	2F211AB5BE610B687DD8529C72613A29
SHA1:	0838B818CFA5C74A4528534BA2CB68D320305535
SHA-256:	05DFA78E60DB5351CDB5BE162E0BACFF3F6B91D075E5BB0F88B8076D9C7CF4AB
SHA-512:	0812C0C299B4C7F1EC2E87E358B458C6CB48D5F2F647ABFCD6BDA8B82C983C5C60D8F0246C5F6F8BD68D5EFECE3EE5D714CA3ED59E2DDE250EAC401B5D1CF5B3
Malicious:	false
Preview:	....... ........=......J}...0...{........................"..........{.......{/.h.$..........................3.s.0...{..............................................................................................c...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{;....................................h.....{/....................$.....{/..........................#......h.$.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\trjggazotdeaznpdaliydbqndn

Process:	C:\ProgramData\Adobe\Adobe.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.882482238123695
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	rSOD219ISF-____.scr.exe
File size:	940'032 bytes
MD5:	c50245598f59f8ef84262dd0d82d6e53
SHA1:	7da1807f04997b506e0ae563e2064ebc050095af
SHA256:	7a9e36961ab5b2ab759ec2196d40618b1f43c5a04c40c01b31cfb4ea1adfc347
SHA512:	e34997748b88c9a28ff3cc16e04d1b12bb5ed9eebde0666d5fdcbbd0d2e8b0c98931d23b84875f05140a67f7160e182bd57d85608ef8e56eeac1104bf8840756
SSDEEP:	24576:gRne6cHoCTTWJM8ipw1x6a/agcW8QhGM31u74Pw:gRne6cINh1XCgcW8ulw
TLSH:	041512F21395CA16D2ED87B51530D7738378EE9FB021E3128EEA4DFB396178458A02D6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X$.g..............0..<..........vZ... ...`....@.. ....................................@................................

File Icon


Icon Hash:	d4d5c869fdc4c4b9

Static PE Info

General

Entrypoint:	0x4e5a76
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x670F2458 [Wed Oct 16 02:26:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
inc ebx
add byte ptr [edx+00h], dh
jne 00007F3AC91008E2h
add byte ptr fs:[ecx+00h], al
jo 00007F3AC91008E2h
jo 00007F3AC91008E2h
insb
add byte ptr [ecx+00h], ch
arpl word ptr [eax], ax
popad
add byte ptr [eax+eax+69h], dh
add byte ptr [edi+00h], ch
outsb
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe5a24	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe6000	0x1628	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe3a9c	0xe3c00	1a8da37e08c1e3dc1494f2ae204cf40e	False	0.9345306496981339	data	7.889422160436118	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe6000	0x1628	0x1800	c311018d153f021d74a41574026b6709	False	0.7054036458333334	data	6.705151623966733	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe8000	0xc	0x200	59b9d44463c570cf88a3580f2bd49604	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xe60c8	0x120c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.841991341991342
RT_GROUP_ICON	0xe72e4	0x14	data	1.05
RT_VERSION	0xe7308	0x31c	data	0.4271356783919598

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-16T05:32:08.209897+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49733	104.250.180.178	7902	TCP
2024-10-16T05:32:10.407621+0200	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49737	178.237.33.50	80	TCP
2024-10-16T05:32:10.928633+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49736	104.250.180.178	7902	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 16, 2024 05:32:06.532562971 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:06.537540913 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:06.537631035 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:06.543271065 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:06.548125029 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:08.154974937 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:08.209897041 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:08.480401039 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:08.484360933 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:08.489212036 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:08.489275932 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:08.494115114 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:09.155087948 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:09.156193972 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:09.161003113 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:09.487675905 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:09.490223885 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:09.495054007 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:09.495417118 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:09.499408007 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:09.504633904 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:09.537996054 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:09.546078920 CEST	49737	80	192.168.2.4	178.237.33.50
Oct 16, 2024 05:32:09.551098108 CEST	80	49737	178.237.33.50	192.168.2.4
Oct 16, 2024 05:32:09.551170111 CEST	49737	80	192.168.2.4	178.237.33.50
Oct 16, 2024 05:32:09.551311970 CEST	49737	80	192.168.2.4	178.237.33.50
Oct 16, 2024 05:32:09.556152105 CEST	80	49737	178.237.33.50	192.168.2.4
Oct 16, 2024 05:32:10.404460907 CEST	80	49737	178.237.33.50	192.168.2.4
Oct 16, 2024 05:32:10.407620907 CEST	49737	80	192.168.2.4	178.237.33.50
Oct 16, 2024 05:32:10.623059034 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:10.628032923 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:10.875361919 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:10.928632975 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:11.275352955 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.280466080 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:11.285371065 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.285497904 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:11.290446043 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.527120113 CEST	80	49737	178.237.33.50	192.168.2.4
Oct 16, 2024 05:32:11.527190924 CEST	49737	80	192.168.2.4	178.237.33.50
Oct 16, 2024 05:32:11.715466976 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.715509892 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.715548038 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.715595007 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:11.715600014 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.715718985 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.715747118 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.715796947 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:11.715797901 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.715826988 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.715895891 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:11.715895891 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:11.715961933 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.715990067 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.716103077 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.716129065 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:11.716130018 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.716195107 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:11.720491886 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.720525026 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.720558882 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.720592022 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.720675945 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:11.720675945 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:11.720844984 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:11.772526979 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.075537920 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.075602055 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.075743914 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.075757980 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.075797081 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.075829983 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.075881004 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.075939894 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.075968981 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.076008081 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.076080084 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.076107025 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.076154947 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.076198101 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.076246023 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.076292992 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.080645084 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.080707073 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.080750942 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.080754995 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.080789089 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.080810070 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.080821991 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.080852985 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.081026077 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.131776094 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.193027973 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.193064928 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.193098068 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.193119049 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.193155050 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.193187952 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.193253994 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.193258047 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.193284988 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.193434954 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.193480015 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.193507910 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.193557024 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.193562984 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.193584919 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.193617105 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.197945118 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.197994947 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.198024035 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.198024035 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.198055983 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.198110104 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.198118925 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.198182106 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.198189974 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.241410971 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.398973942 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.399007082 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.399069071 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.399153948 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.399182081 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.399214983 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.399245977 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.399331093 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.399331093 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.399457932 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.399486065 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.399621010 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.399648905 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.399682999 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.399682999 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.399745941 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.399774075 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.399835110 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.399885893 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.399908066 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.399975061 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.400033951 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.400062084 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.400474072 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.400506020 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.400538921 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.400552034 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.400571108 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.400604010 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.400619984 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.516808033 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.516846895 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.516900063 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.516904116 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.516948938 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.516983986 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.517014027 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.517035961 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.517045975 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.517091990 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.517224073 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.517273903 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.517307997 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.517314911 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.517363071 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.517395973 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.517442942 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.517591000 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.517617941 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.517700911 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.517700911 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.517756939 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.517788887 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.517821074 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.517885923 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.559240103 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.559288979 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.559325933 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.559341908 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.559411049 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.634169102 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.634203911 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.634237051 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.634268999 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.634296894 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.634303093 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.634310961 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.634335041 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.634402037 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.634684086 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.634712934 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.634744883 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.634778023 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.634819984 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.634840965 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.634840965 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.634870052 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.634901047 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.634947062 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.635145903 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.635173082 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.635201931 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.635237932 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.635284901 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.635288000 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.676711082 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.676742077 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.676763058 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.676852942 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.676852942 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.751358986 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.751441956 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.751514912 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.751543045 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.751558065 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.751590014 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.751652956 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.751705885 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.751738071 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.751753092 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.752159119 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.752187967 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.752216101 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.752238035 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.752286911 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.752306938 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.752321005 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.752352953 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.752362013 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.752388000 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.752479076 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.752746105 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.752854109 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.752886057 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.752938986 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.794181108 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.794202089 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.794219017 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.794270039 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.794270039 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.869015932 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.869031906 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.869162083 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.869198084 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.869210958 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.869273901 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.869287014 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.869292021 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.869360924 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.869515896 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.869564056 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.869577885 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.869630098 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.869669914 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.869683981 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.869699001 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.869734049 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.869734049 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.869954109 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.869977951 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.869992018 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.870075941 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.870249033 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.870264053 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.870277882 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.870349884 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.870349884 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.911616087 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.911653996 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.911686897 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.911706924 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.911721945 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.911791086 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.986382008 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.986413956 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.986489058 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.986676931 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.986710072 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.986746073 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.986788034 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.986938953 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.986990929 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.987020969 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.987023115 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.987066984 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.987091064 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.987098932 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.987131119 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.987190008 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.987359047 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.987411022 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.987428904 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.987463951 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.987521887 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.987566948 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.987649918 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.987699032 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.987737894 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.987770081 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.987833977 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:12.995325089 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.995796919 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:12.995853901 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.028898001 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.028932095 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.028964996 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.029048920 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.069286108 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.103959084 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.103993893 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.104187012 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.104214907 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.104248047 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.104325056 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.104356050 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.104391098 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.104460955 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.104510069 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.104542971 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.104573965 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.104581118 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.104608059 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.104640961 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.104646921 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.104646921 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.104747057 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.105148077 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.105201960 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.105236053 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.105281115 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.105285883 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.105318069 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.105364084 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.112818956 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.112906933 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.113082886 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.146512032 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.146548986 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.146583080 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.146686077 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.146686077 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.221550941 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.221659899 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.221688986 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.221740007 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.221757889 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.221787930 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.221817017 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.221834898 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.221887112 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.221915007 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.221937895 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.221947908 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.221951008 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.221982956 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.222018003 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.222110987 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.222328901 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.222377062 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.222383022 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.222415924 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.222491026 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.222553015 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.222584963 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.222615957 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.222634077 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.222754955 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.222800016 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.222805023 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.222836971 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.222946882 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.263844967 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.263884068 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.263917923 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.264050961 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.306010962 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.314500093 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.314599037 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.314631939 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.314649105 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.339047909 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.339102030 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.339129925 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.339160919 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.339163065 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.339196920 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.339229107 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.339256048 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.339313984 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.339329004 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.339379072 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.339405060 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.339440107 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.339473009 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.339557886 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.339792967 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.339826107 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.339853048 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.339879036 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.339982986 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.340059042 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.340107918 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.340142012 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.340157986 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.340173006 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.340205908 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.340224028 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.381822109 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.381954908 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.382009029 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.382038116 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.382070065 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.382112980 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.382112980 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.431958914 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.432015896 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.432048082 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.432111025 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.456707001 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.456758022 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.456768990 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.456809044 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.456841946 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.456875086 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.456881046 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.456907034 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.456928015 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.456940889 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.456970930 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.457005978 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.457010031 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.457096100 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.457355022 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.457437992 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.457472086 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.457485914 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.457520962 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.457551956 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.457636118 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.457710981 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.457763910 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.457793951 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.457798958 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.457844019 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.499649048 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.499689102 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.499722004 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.499758959 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.549355030 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.549390078 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.549422979 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.549442053 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.549529076 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.574625969 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.574742079 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.574773073 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.574805975 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.574807882 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.574841022 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.574873924 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.574903011 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.574911118 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.574927092 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.574961901 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.574990988 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.575023890 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.575047016 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.575079918 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.575094938 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.575110912 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.575144053 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.575153112 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.575176954 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.575210094 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.575249910 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.575262070 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.575306892 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.576071024 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.576908112 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.576984882 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.620884895 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.620918036 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.620950937 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.621028900 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.663047075 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.667017937 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.667118073 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.667149067 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.667190075 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.692413092 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.692497015 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.692507029 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.692543030 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.692600012 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.692610979 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.692653894 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.692694902 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.692709923 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.692737103 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.692778111 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.692823887 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.692825079 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.692866087 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.692909956 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.692919016 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.692954063 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.692986965 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.693002939 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.693059921 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.693212986 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.693255901 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.693310976 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.693336964 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.693437099 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.693494081 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.694220066 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.735613108 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.735651970 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.735690117 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.735723972 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.735800982 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.784621000 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.784677982 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.784710884 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.784759998 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.809595108 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.809634924 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.809650898 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.809731007 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.809787035 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.809885979 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.809900999 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.809916019 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.809931040 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.809947014 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.809952974 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.809962034 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.809978008 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.809988022 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.810019016 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.810231924 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.810247898 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.810262918 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.810277939 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.810298920 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.810317993 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.810619116 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.810633898 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.810648918 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.810662031 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.810667038 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.810698986 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.811527014 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.811543941 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.811602116 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.852777958 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.852812052 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.852844000 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.852901936 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.852901936 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.901866913 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.901920080 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.901952982 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.901976109 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.927218914 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.927270889 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.927304983 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.927336931 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.927371025 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.927412033 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.927462101 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.927495003 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.927530050 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.927546978 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.927546978 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.927561998 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.927633047 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.927812099 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.927843094 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.927875996 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.927898884 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.927906990 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.927941084 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.927961111 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.928272009 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.928366899 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.928395987 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.928427935 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.928462029 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.928478003 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.928493023 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.928524971 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.928551912 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.928560019 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.928622961 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:13.928653002 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.970891953 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.970926046 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.970957994 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:13.971116066 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.019443035 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.019475937 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.019509077 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.019606113 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.044459105 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.044508934 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.044509888 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.044543028 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.044594049 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.044620991 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.044625998 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.044661045 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.044723988 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.044858932 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.044909000 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.044945002 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.044972897 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.045022011 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.045053005 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.045067072 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.045087099 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.045232058 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.045407057 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.045439959 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.045470953 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.045480013 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.045556068 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.045592070 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.045651913 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.045700073 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.045732975 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.045747042 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.045764923 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.045809984 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.046169996 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.046219110 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.046267986 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.046299934 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.046309948 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.046309948 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.046331882 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.046602964 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.088660002 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.088713884 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.088728905 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.088763952 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.131797075 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.136857033 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.136876106 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.136890888 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.136986017 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.162000895 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.162055016 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.162086010 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.162100077 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.162147999 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.162182093 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.162314892 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.162343979 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.162377119 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.162379980 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.162410975 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.162444115 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.162461996 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.162511110 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.162549019 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.162650108 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.162699938 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.162731886 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.162738085 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.162764072 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.162811995 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.163103104 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.163151026 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.163183928 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.163188934 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.163216114 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.163249016 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.163252115 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.163341045 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.163636923 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.163686037 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.163718939 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.163752079 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.163759947 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.163786888 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.163819075 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.163861990 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.163862944 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.164258957 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.164360046 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.164583921 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.206218958 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.206254005 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.206286907 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.206307888 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.254566908 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.254585028 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.254596949 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.254678011 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.254700899 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.280040979 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280054092 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280071020 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280177116 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.280213118 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280222893 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280234098 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280263901 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.280344963 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.280390978 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280400991 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280466080 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.280514002 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280524969 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280534983 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280544996 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280595064 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.280595064 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.280870914 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280888081 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280900002 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280910015 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280920982 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.280936956 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.280966997 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.281462908 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.281476021 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.281486034 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.281513929 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.281517982 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.281517982 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.281527996 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.281538963 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.281548977 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.281560898 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.281574011 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.281611919 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.282181025 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.282197952 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.282208920 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.282233953 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.282234907 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.325393915 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.325432062 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.325484037 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.325503111 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.367413044 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.372461081 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.372489929 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.372523069 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.372551918 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.372555017 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.373080015 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.397701025 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.397713900 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.397725105 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.397736073 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.397747040 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.397757053 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.397763014 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.397783995 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.397802114 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.397814989 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.397825003 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.397835016 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.397845984 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.397872925 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.397872925 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.398032904 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.398044109 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.398087978 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.398142099 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.398154974 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.398164988 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.398175001 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.398216963 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.398216963 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.398483038 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.398494959 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.398504972 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.398542881 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.398546934 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.398551941 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.398559093 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.398569107 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.398580074 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.398590088 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.398627043 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.398627043 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.399111032 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.399122953 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.399133921 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.399178028 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.399178028 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.399298906 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.399310112 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.399319887 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.399382114 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.442913055 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.442924976 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.442934990 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.443336010 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.489828110 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.489840984 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.489850998 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.489903927 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.515019894 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.515043974 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.515059948 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.515069962 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.515081882 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.515094042 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.515167952 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.515181065 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.515191078 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:14.515382051 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:14.569298983 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:15.734240055 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:15.739398956 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.739413023 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.739423037 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.739443064 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.739450932 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.739459991 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.739469051 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.739487886 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.739499092 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.739499092 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:15.739516973 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.744410992 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.744421005 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.744427919 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.744503021 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.744512081 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.744520903 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.744822979 CEST	7902	49736	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:15.745444059 CEST	49736	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:32.037137985 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:32:32.038705111 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:32:32.043593884 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:33:02.041340113 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:33:02.084969044 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:33:02.178415060 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:33:02.183479071 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:33:32.080143929 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:33:32.116516113 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:33:32.121355057 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:33:59.507484913 CEST	49737	80	192.168.2.4	178.237.33.50
Oct 16, 2024 05:33:59.819467068 CEST	49737	80	192.168.2.4	178.237.33.50
Oct 16, 2024 05:34:00.428819895 CEST	49737	80	192.168.2.4	178.237.33.50
Oct 16, 2024 05:34:01.632101059 CEST	49737	80	192.168.2.4	178.237.33.50
Oct 16, 2024 05:34:02.197309017 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:34:02.202017069 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:34:02.206837893 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:34:04.038173914 CEST	49737	80	192.168.2.4	178.237.33.50
Oct 16, 2024 05:34:08.850801945 CEST	49737	80	192.168.2.4	178.237.33.50
Oct 16, 2024 05:34:18.460115910 CEST	49737	80	192.168.2.4	178.237.33.50
Oct 16, 2024 05:34:32.201476097 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:34:32.208182096 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:34:32.213012934 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:35:02.236373901 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:35:02.238965988 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:35:02.243904114 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:35:32.276982069 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:35:32.279669046 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:35:32.284565926 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:36:02.317852020 CEST	7902	49733	104.250.180.178	192.168.2.4
Oct 16, 2024 05:36:02.321472883 CEST	49733	7902	192.168.2.4	104.250.180.178
Oct 16, 2024 05:36:02.326741934 CEST	7902	49733	104.250.180.178	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 16, 2024 05:32:09.532557964 CEST	50185	53	192.168.2.4	1.1.1.1
Oct 16, 2024 05:32:09.540483952 CEST	53	50185	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 16, 2024 05:32:09.532557964 CEST	192.168.2.4	1.1.1.1	0x3800	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 16, 2024 05:32:09.540483952 CEST	1.1.1.1	192.168.2.4	0x3800	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	178.237.33.50	80	7224	C:\ProgramData\Adobe\Adobe.exe

Timestamp	Bytes transferred	Direction	Data
Oct 16, 2024 05:32:09.551311970 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Oct 16, 2024 05:32:10.404460907 CEST	1164	IN	HTTP/1.1 200 OK date: Wed, 16 Oct 2024 03:32:10 GMT server: Apache content-length: 956 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 44 61 6c 6c 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c [TRUNCATED] Data Ascii: { "geoplugin_request":"155.94.241.186", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Dallas", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"623", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"32.8137", "geoplugin_longitude":"-96.8704", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Target ID:	0
Start time:	23:32:02
Start date:	15/10/2024
Path:	C:\Users\user\Desktop\rSOD219ISF-____.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rSOD219ISF-____.scr.exe"
Imagebase:	0x430000
File size:	940'032 bytes
MD5 hash:	C50245598F59F8EF84262DD0D82D6E53
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1733891519.0000000003AE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1733891519.0000000003AE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1733891519.0000000003AE2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	23:32:04
Start date:	15/10/2024
Path:	C:\Users\user\Desktop\rSOD219ISF-____.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rSOD219ISF-____.scr.exe"
Imagebase:	0x760000
File size:	940'032 bytes
MD5 hash:	C50245598F59F8EF84262DD0D82D6E53
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.1731258252.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.1730980187.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	23:32:04
Start date:	15/10/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0xd20000
File size:	940'032 bytes
MD5 hash:	C50245598F59F8EF84262DD0D82D6E53
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	23:32:05
Start date:	15/10/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0xe50000
File size:	940'032 bytes
MD5 hash:	C50245598F59F8EF84262DD0D82D6E53
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4178218379.0000000001597000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Target ID:	5
Start time:	23:32:13
Start date:	15/10/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\trjggazotdeaznpdaliydbqndn"
Imagebase:	0x550000
File size:	940'032 bytes
MD5 hash:	C50245598F59F8EF84262DD0D82D6E53
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	23:32:13
Start date:	15/10/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\dtpyhskqhlwfkbdpjwuzggcwmubqst"
Imagebase:	0x200000
File size:	940'032 bytes
MD5 hash:	C50245598F59F8EF84262DD0D82D6E53
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	23:32:13
Start date:	15/10/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\dtpyhskqhlwfkbdpjwuzggcwmubqst"
Imagebase:	0xf10000
File size:	940'032 bytes
MD5 hash:	C50245598F59F8EF84262DD0D82D6E53
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	23:32:13
Start date:	15/10/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\onurakujvtpjmhztaghtrsxnnatrlexmp"
Imagebase:	0xf30000
File size:	940'032 bytes
MD5 hash:	C50245598F59F8EF84262DD0D82D6E53
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	9
Start time:	23:32:15
Start date:	15/10/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0x620000
File size:	940'032 bytes
MD5 hash:	C50245598F59F8EF84262DD0D82D6E53
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	10
Start time:	23:32:16
Start date:	15/10/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0xf40000
File size:	940'032 bytes
MD5 hash:	C50245598F59F8EF84262DD0D82D6E53
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.1847433881.0000000001507000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	14
Start time:	23:32:23
Start date:	15/10/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0xea0000
File size:	940'032 bytes
MD5 hash:	C50245598F59F8EF84262DD0D82D6E53
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	15
Start time:	23:32:24
Start date:	15/10/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0x2d0000
File size:	940'032 bytes
MD5 hash:	C50245598F59F8EF84262DD0D82D6E53
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	16
Start time:	23:32:24
Start date:	15/10/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0xe20000
File size:	940'032 bytes
MD5 hash:	C50245598F59F8EF84262DD0D82D6E53
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.1933496998.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	17
Start time:	23:32:31
Start date:	15/10/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0xfc0000
File size:	940'032 bytes
MD5 hash:	C50245598F59F8EF84262DD0D82D6E53
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.2041165688.0000000004671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.2041165688.0000000004671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.2041165688.0000000004671000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	18
Start time:	23:32:33
Start date:	15/10/2024
Path:	C:\ProgramData\Adobe\Adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Adobe\Adobe.exe"
Imagebase:	0xf90000
File size:	940'032 bytes
MD5 hash:	C50245598F59F8EF84262DD0D82D6E53
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.2015515611.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true